diff --git a/.backportrc.json b/.backportrc.json index e1dd718528..8094d6e7fa 100644 --- a/.backportrc.json +++ b/.backportrc.json @@ -2,6 +2,8 @@ "upstream": "elastic/ecs", "branches": [ { "name": "main", "checked": true }, + "8.x", + "8.16", "8.11", "8.10", "8.9", diff --git a/CHANGELOG.md b/CHANGELOG.md index dde2819ff2..69c807403c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,35 @@ # CHANGELOG All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/). +## [8.16.0](https://github.com/elastic/ecs/compare/v8.11.0...v8.16.0) + +### Schema Changes + +#### Bugfixes +* Fix broken link in docs for vulnerability.id. #2328 + +#### Added + +* Added `volume.*` as beta field set. #2269 +* Advanced `process.env_vars` to GA. #2315 +* Advanced `process.io` and `process.tty` fields to GA. #2317 +* Added `threat.indicator.id`. #2324 +* Added `process.group` to generated schemas. #2335 + +#### Improvements + +* Define base encoding of `x509.serial_number`. #2383 + +### Tooling and Artifact Changes + +#### Bugfixes + +* Fix broken link for vulnerabilty.id #2328 + +#### Added + +* Documentation in README.md providing instruction on contributions to ECS during the OTel donation #2325 + ## [8.11.0](https://github.com/elastic/ecs/compare/v8.10.0...v8.11.0) ### Schema Changes diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 70a4a3e0a6..aae5b7a87f 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -13,16 +13,9 @@ Thanks, you're awesome :-) --> #### Breaking changes #### Bugfixes -* Fix broken link in docs for vulnerability.id. #2328 #### Added -* Added `volume.*` as beta field set. #2269 -* Advanced `process.env_vars` to GA. #2315 -* Advanced `process.io` and `process.tty` fields to GA. #2317 -* Added `threat.indicator.id`. #2324 -* Added `process.group` to generated schemas. #2335 - #### Improvements * Define base encoding of `x509.serial_number`. #2383 @@ -37,8 +30,6 @@ Thanks, you're awesome :-) --> #### Added -* Documentation in README.md providing instruction on contributions to ECS during the OTel donation #2325 - #### Improvements #### Deprecated diff --git a/docs/fields/fields.asciidoc b/docs/fields/fields.asciidoc index e8efb3cc75..f99e3d4198 100644 --- a/docs/fields/fields.asciidoc +++ b/docs/fields/fields.asciidoc @@ -1,7 +1,7 @@ [[ecs-field-reference]] == {ecs} Field Reference -This is the documentation of ECS version 8.12.0-dev. +This is the documentation of ECS version 9.0.0-dev. ECS defines multiple groups of related fields. They are called "field sets". The <> field set is the only one whose fields are defined diff --git a/docs/index.asciidoc b/docs/index.asciidoc index 0df56fe128..ce7ae20021 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -13,7 +13,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[] [[ecs-reference]] == Overview -This is the documentation of ECS version 8.12.0-dev. +This is the documentation of ECS version 9.0.0-dev. [float] === What is ECS? diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc new file mode 100644 index 0000000000..f96da18a24 --- /dev/null +++ b/docs/release-notes/8.16.asciidoc @@ -0,0 +1,38 @@ +[[ecs-release-notes-8.16.0]] +=== 8.16.0 + +[[schema-changes-8.16.0]] +[float] +==== Schema changes + +[[schema-bugfixes-8.16.0]] +[float] +===== Bugfixes +* Fix broken link in docs for vulnerability.id. {ecs_pull}2328[#2328] + +[[schema-added-8.16.0]] +[float] +===== Added + +* Added `volume.*` as beta field set. {ecs_pull}2269[#2269] +* Advanced `process.env_vars` to GA. {ecs_pull}2315[#2315] +* Advanced `process.io` and `process.tty` fields to GA. {ecs_pull}2317[#2317] +* Added `threat.indicator.id`. {ecs_pull}2324[#2324] +* Added `process.group` to generated schemas. {ecs_pull}2335[#2335] + + +[[tooling-changes-8.16.0]] +[float] +==== Tooling and artifact changes + +[[tooling-bugfixes-8.16.0]] +[float] +===== Bugfixes +* Fix broken link for vulnerabilty.id {ecs_pull}2328[#2328] + +[[tooling-added-8.16.0]] +[float] +===== Added + +* Documentation in README.md providing instruction on contributions to ECS during the OTel donation {ecs_pull}2325[#2325] + diff --git a/docs/release-notes/index.asciidoc b/docs/release-notes/index.asciidoc index 968c6f62d9..01e792805a 100644 --- a/docs/release-notes/index.asciidoc +++ b/docs/release-notes/index.asciidoc @@ -3,6 +3,7 @@ This section summarizes the changes in each release. +* <> * <> * <> * <> @@ -27,6 +28,7 @@ This section summarizes the changes in each release. :issue: https://github.com/elastic/ecs/issues/ :pull: https://github.com/elastic/ecs/pull/ +include::8.16.asciidoc[] include::8.11.asciidoc[] include::8.10.asciidoc[] include::8.9.asciidoc[] diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 932f199061..4edbea7a0b 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 8.12.0-dev+exp. +# based on ECS version 9.0.0-dev+exp. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index be5ee33461..2f73b45091 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1,1788 +1,1788 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -8.12.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -8.12.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -8.12.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer. -8.12.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -8.12.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -8.12.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -8.12.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -8.12.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -8.12.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -8.12.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -8.12.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed. -8.12.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time. -8.12.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count." -8.12.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup. -8.12.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap. -8.12.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes -8.12.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics -8.12.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address. -8.12.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -8.12.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. -8.12.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -8.12.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -8.12.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client. -8.12.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client. -8.12.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. -8.12.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -8.12.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port -8.12.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -8.12.0-dev+exp,true,client,client.port,long,core,,,Port of the client. -8.12.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -8.12.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. -8.12.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address. -8.12.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. -8.12.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. -8.12.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." -8.12.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -8.12.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. -8.12.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -8.12.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id. -8.12.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name. -8.12.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." -8.12.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -8.12.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine. -8.12.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -8.12.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id. -8.12.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name. -8.12.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider. -8.12.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." -8.12.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name. -8.12.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. -8.12.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. -8.12.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. -8.12.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." -8.12.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name. -8.12.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id. -8.12.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name. -8.12.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." -8.12.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -8.12.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine. -8.12.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -8.12.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id. -8.12.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name. -8.12.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider. -8.12.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." -8.12.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name. -8.12.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." -8.12.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks. -8.12.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks. -8.12.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id. -8.12.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on. -8.12.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. -8.12.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags. -8.12.0-dev+exp,true,container,container.labels,object,extended,,,Image labels. -8.12.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1." -8.12.0-dev+exp,true,container,container.name,keyword,extended,,,Container name. -8.12.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. -8.12.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. -8.12.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. -8.12.0-dev+exp,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode. -8.12.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data. -8.12.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data. -8.12.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream. -8.12.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address. -8.12.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -8.12.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. -8.12.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -8.12.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -8.12.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination. -8.12.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination. -8.12.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. -8.12.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -8.12.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -8.12.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -8.12.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination. -8.12.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -8.12.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. -8.12.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address. -8.12.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device. -8.12.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer. -8.12.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model. -8.12.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model. -8.12.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device -8.12.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -8.12.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -8.12.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -8.12.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -8.12.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -8.12.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -8.12.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -8.12.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -8.12.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -8.12.0-dev+exp,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -8.12.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. -8.12.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. -8.12.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. -8.12.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash. -8.12.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. -8.12.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. -8.12.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash. -8.12.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. -8.12.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. -8.12.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.12.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.12.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.12.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.12.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -8.12.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.12.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -8.12.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.12.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -8.12.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.12.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file. -8.12.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name. -8.12.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size. -8.12.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers. -8.12.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -8.12.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. -8.12.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. -8.12.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. -8.12.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -8.12.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. -8.12.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -8.12.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. -8.12.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -8.12.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. -8.12.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." -8.12.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. -8.12.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -8.12.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data -8.12.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. -8.12.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." -8.12.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -8.12.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments. -8.12.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension. -8.12.0-dev+exp,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -8.12.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash. -8.12.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash. -8.12.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash. -8.12.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash. -8.12.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash. -8.12.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -8.12.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash. -8.12.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file. -8.12.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file. -8.12.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size. -8.12.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient -8.12.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient -8.12.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message. -8.12.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered. -8.12.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message. -8.12.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address. -8.12.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source. -8.12.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header. -8.12.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed. -8.12.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to. -8.12.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender. -8.12.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message. -8.12.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message. -8.12.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient -8.12.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email. -8.12.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error. -8.12.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error. -8.12.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message. -8.12.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. -8.12.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text. -8.12.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -8.12.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -8.12.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. -8.12.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -8.12.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event. -8.12.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -8.12.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -8.12.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -8.12.0-dev+exp,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed. -8.12.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -8.12.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -8.12.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -8.12.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -8.12.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -8.12.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -8.12.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -8.12.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event. -8.12.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -8.12.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -8.12.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -8.12.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -8.12.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event. -8.12.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event. -8.12.0-dev+exp,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed. -8.12.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone. -8.12.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -8.12.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -8.12.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function. -8.12.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution. -8.12.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function. -8.12.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function. -8.12.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc." -8.12.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution. -8.12.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function. -8.12.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed. -8.12.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -8.12.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -8.12.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -8.12.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -8.12.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -8.12.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -8.12.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -8.12.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -8.12.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -8.12.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -8.12.0-dev+exp,true,file,file.created,date,extended,,,File creation time. -8.12.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. -8.12.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -8.12.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. -8.12.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -8.12.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -8.12.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -8.12.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -8.12.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date. -8.12.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types. -8.12.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -8.12.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -8.12.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file. -8.12.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header. -8.12.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -8.12.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -8.12.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -8.12.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file. -8.12.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header. -8.12.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -8.12.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file. -8.12.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -8.12.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -8.12.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name. -8.12.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -8.12.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -8.12.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type. -8.12.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -8.12.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -8.12.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list. -8.12.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -8.12.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type. -8.12.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -8.12.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -8.12.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -8.12.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. -8.12.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -8.12.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. -8.12.0-dev+exp,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -8.12.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. -8.12.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. -8.12.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. -8.12.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash. -8.12.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. -8.12.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -8.12.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash. -8.12.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -8.12.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. -8.12.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. -8.12.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file. -8.12.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name. -8.12.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. -8.12.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. -8.12.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -8.12.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. -8.12.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified. -8.12.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -8.12.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username. -8.12.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -8.12.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -8.12.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.12.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.12.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.12.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.12.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -8.12.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.12.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -8.12.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.12.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -8.12.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.12.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file. -8.12.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name. -8.12.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size. -8.12.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes. -8.12.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks. -8.12.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks. -8.12.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -8.12.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -8.12.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -8.12.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -8.12.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -8.12.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -8.12.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -8.12.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -8.12.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -8.12.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -8.12.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -8.12.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -8.12.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -8.12.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -8.12.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -8.12.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -8.12.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -8.12.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -8.12.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code -8.12.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -8.12.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -8.12.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -8.12.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -8.12.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. -8.12.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. -8.12.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id -8.12.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." -8.12.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. -8.12.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. -8.12.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -8.12.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host. -8.12.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id. -8.12.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses. -8.12.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. -8.12.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host. -8.12.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. -8.12.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. -8.12.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. -8.12.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. -8.12.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -8.12.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -8.12.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -8.12.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -8.12.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -8.12.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." -8.12.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -8.12.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." -8.12.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -8.12.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode -8.12.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. -8.12.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. -8.12.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. -8.12.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." -8.12.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." -8.12.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -8.12.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. -8.12.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. -8.12.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -8.12.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. -8.12.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body. -8.12.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -8.12.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. -8.12.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method. -8.12.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -8.12.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. -8.12.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -8.12.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. -8.12.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body. -8.12.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -8.12.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. -8.12.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -8.12.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version. -8.12.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. -8.12.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event. -8.12.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -8.12.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event. -8.12.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. -8.12.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. -8.12.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata -8.12.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message. -8.12.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. -8.12.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. -8.12.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message. -8.12.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message. -8.12.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. -8.12.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message. -8.12.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. -8.12.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. -8.12.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages. -8.12.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version. -8.12.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name. -8.12.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -8.12.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -8.12.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -8.12.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -8.12.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -8.12.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information -8.12.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -8.12.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -8.12.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -8.12.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -8.12.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name. -8.12.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -8.12.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -8.12.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -8.12.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -8.12.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information -8.12.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias -8.12.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID -8.12.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name -8.12.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -8.12.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -8.12.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone -8.12.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. -8.12.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information -8.12.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias -8.12.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID -8.12.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name -8.12.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -8.12.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -8.12.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone -8.12.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -8.12.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer. -8.12.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -8.12.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -8.12.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -8.12.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -8.12.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -8.12.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -8.12.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." -8.12.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -8.12.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." -8.12.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -8.12.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. -8.12.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. -8.12.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. -8.12.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. -8.12.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version. -8.12.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action -8.12.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster. -8.12.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster. -8.12.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster. -8.12.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster. -8.12.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place. -8.12.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups). -8.12.0-dev+exp,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource. -8.12.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon. -8.12.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed. -8.12.0-dev+exp,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource. -8.12.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon. -8.12.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed. -8.12.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon. -8.12.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)." -8.12.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -8.12.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name. -8.12.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name. -8.12.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. -8.12.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -8.12.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -8.12.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. -8.12.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." -8.12.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed. -8.12.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license -8.12.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name -8.12.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -8.12.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL -8.12.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes. -8.12.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type -8.12.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version -8.12.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -8.12.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. -8.12.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -8.12.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -8.12.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -8.12.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -8.12.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -8.12.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -8.12.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -8.12.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -8.12.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -8.12.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -8.12.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -8.12.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -8.12.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date. -8.12.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types. -8.12.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -8.12.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -8.12.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file. -8.12.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header. -8.12.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -8.12.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -8.12.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -8.12.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file. -8.12.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header. -8.12.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -8.12.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file. -8.12.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -8.12.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags. -8.12.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name. -8.12.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -8.12.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -8.12.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type. -8.12.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -8.12.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -8.12.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list. -8.12.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections. -8.12.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type. -8.12.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -8.12.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -8.12.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. -8.12.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -8.12.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array. -8.12.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source. -8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader. -8.12.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -8.12.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name. -8.12.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name. -8.12.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id. -8.12.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id. -8.12.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev+exp,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. -8.12.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev+exp,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id. -8.12.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id. -8.12.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. -8.12.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device. -8.12.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. -8.12.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -8.12.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id. -8.12.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. -8.12.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -8.12.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings. -8.12.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process. -8.12.0-dev+exp,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -8.12.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array. -8.12.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -8.12.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name. -8.12.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name. -8.12.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id. -8.12.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. -8.12.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device. -8.12.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. -8.12.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -8.12.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id. -8.12.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. -8.12.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -8.12.0-dev+exp,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -8.12.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash. -8.12.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. -8.12.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. -8.12.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash. -8.12.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -8.12.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. -8.12.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash. -8.12.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -8.12.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process. -8.12.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped. -8.12.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped. -8.12.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped. -8.12.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting." -8.12.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8. -8.12.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event. -8.12.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. -8.12.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken. -8.12.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. -8.12.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. -8.12.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file. -8.12.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name. -8.12.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. -8.12.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. -8.12.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name. -8.12.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name. -8.12.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -8.12.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -8.12.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -8.12.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -8.12.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -8.12.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -8.12.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -8.12.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -8.12.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -8.12.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -8.12.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -8.12.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -8.12.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -8.12.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date. -8.12.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types. -8.12.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -8.12.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -8.12.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file. -8.12.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header. -8.12.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -8.12.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -8.12.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -8.12.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file. -8.12.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header. -8.12.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -8.12.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file. -8.12.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -8.12.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags. -8.12.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name. -8.12.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -8.12.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -8.12.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type. -8.12.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -8.12.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -8.12.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list. -8.12.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections. -8.12.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type. -8.12.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -8.12.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -8.12.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. -8.12.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. -8.12.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id. -8.12.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id. -8.12.0-dev+exp,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -8.12.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. -8.12.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. -8.12.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. -8.12.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash. -8.12.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -8.12.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. -8.12.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash. -8.12.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -8.12.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. -8.12.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. -8.12.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file. -8.12.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name. -8.12.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. -8.12.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. -8.12.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name. -8.12.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name. -8.12.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.12.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.12.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.12.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.12.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -8.12.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.12.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -8.12.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.12.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -8.12.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.12.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file. -8.12.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name. -8.12.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size. -8.12.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to. -8.12.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. -8.12.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. -8.12.0-dev+exp,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. -8.12.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -8.12.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. -8.12.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title. -8.12.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title. -8.12.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device. -8.12.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number. -8.12.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -8.12.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -8.12.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.parent.vpid,long,core,,4242,Virtual process id. -8.12.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. -8.12.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -8.12.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.12.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.12.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.12.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.12.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -8.12.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.12.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -8.12.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.12.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -8.12.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.12.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file. -8.12.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name. -8.12.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size. -8.12.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to. -8.12.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. -8.12.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -8.12.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array. -8.12.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -8.12.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array. -8.12.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -8.12.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name. -8.12.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name. -8.12.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id. -8.12.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id. -8.12.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev+exp,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. -8.12.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev+exp,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id. -8.12.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id. -8.12.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. -8.12.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device. -8.12.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. -8.12.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -8.12.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id. -8.12.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. -8.12.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -8.12.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. -8.12.0-dev+exp,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. -8.12.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID. -8.12.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. -8.12.0-dev+exp,true,process,process.title,keyword,extended,,,Process title. -8.12.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title. -8.12.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device. -8.12.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number. -8.12.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -8.12.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width -8.12.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height -8.12.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -8.12.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,process,process.vpid,long,core,,4242,Virtual process id. -8.12.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. -8.12.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -8.12.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -8.12.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -8.12.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -8.12.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -8.12.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -8.12.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -8.12.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. -8.12.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. -8.12.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. -8.12.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -8.12.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event. -8.12.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author -8.12.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category -8.12.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description -8.12.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID -8.12.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license -8.12.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name -8.12.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -8.12.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset -8.12.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID -8.12.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version -8.12.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address. -8.12.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -8.12.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. -8.12.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -8.12.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -8.12.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server. -8.12.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server. -8.12.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. -8.12.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip -8.12.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port -8.12.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -8.12.0-dev+exp,true,server,server.port,long,core,,,Port of the server. -8.12.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -8.12.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. -8.12.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address. -8.12.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service. -8.12.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service. -8.12.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -8.12.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -8.12.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. -8.12.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. -8.12.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. -8.12.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. -8.12.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service. -8.12.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service. -8.12.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -8.12.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -8.12.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service. -8.12.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node. -8.12.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. -8.12.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. -8.12.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service. -8.12.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service. -8.12.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service. -8.12.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service. -8.12.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service. -8.12.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service. -8.12.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -8.12.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -8.12.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service. -8.12.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node. -8.12.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. -8.12.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. -8.12.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service. -8.12.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service. -8.12.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service. -8.12.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service. -8.12.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service. -8.12.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address. -8.12.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -8.12.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. -8.12.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -8.12.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -8.12.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source. -8.12.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source. -8.12.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. -8.12.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip -8.12.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port -8.12.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -8.12.0-dev+exp,true,source,source.port,long,core,,,Port of the source. -8.12.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -8.12.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. -8.12.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address. -8.12.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -8.12.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -8.12.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -8.12.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. -8.12.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value -8.12.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field -8.12.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier -8.12.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index -8.12.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match -8.12.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match -8.12.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID. -8.12.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed. -8.12.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed. -8.12.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed. -8.12.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -8.12.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. -8.12.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. -8.12.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. -8.12.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. -8.12.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -8.12.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. -8.12.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -8.12.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating -8.12.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description -8.12.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address -8.12.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. -8.12.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -8.12.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time. -8.12.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. -8.12.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. -8.12.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. -8.12.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -8.12.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -8.12.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -8.12.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. -8.12.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -8.12.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. -8.12.0-dev+exp,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -8.12.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash. -8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. -8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. -8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. -8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. -8.12.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -8.12.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. -8.12.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -8.12.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -8.12.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. -8.12.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. -8.12.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -8.12.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. -8.12.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -8.12.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. -8.12.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks. -8.12.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. -8.12.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -8.12.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -8.12.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. -8.12.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. -8.12.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev+exp,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator -8.12.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address -8.12.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. -8.12.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking -8.12.0-dev+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version -8.12.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. -8.12.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name -8.12.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port -8.12.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider -8.12.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL -8.12.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -8.12.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -8.12.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -8.12.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -8.12.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -8.12.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -8.12.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. -8.12.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics -8.12.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed -8.12.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator -8.12.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. -8.12.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -8.12.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. -8.12.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -8.12.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -8.12.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -8.12.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -8.12.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request. -8.12.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -8.12.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443." -8.12.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request. -8.12.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -8.12.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url. -8.12.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. -8.12.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request. -8.12.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -8.12.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -8.12.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -8.12.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -8.12.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -8.12.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -8.12.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -8.12.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -8.12.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code -8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -8.12.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. -8.12.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software -8.12.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software -8.12.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. -8.12.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. -8.12.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL. -8.12.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type. -8.12.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. -8.12.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. -8.12.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. -8.12.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. -8.12.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. -8.12.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name. -8.12.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. -8.12.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. -8.12.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. -8.12.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name. -8.12.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. -8.12.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -8.12.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -8.12.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. -8.12.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. -8.12.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. -8.12.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -8.12.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -8.12.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -8.12.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -8.12.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -8.12.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -8.12.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -8.12.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. -8.12.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -8.12.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -8.12.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -8.12.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -8.12.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -8.12.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -8.12.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -8.12.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -8.12.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -8.12.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -8.12.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -8.12.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -8.12.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -8.12.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -8.12.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -8.12.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -8.12.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code -8.12.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -8.12.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -8.12.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -8.12.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -8.12.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. -8.12.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." -8.12.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -8.12.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. -8.12.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -8.12.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -8.12.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. -8.12.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. -8.12.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. -8.12.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -8.12.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -8.12.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -8.12.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -8.12.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -8.12.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. -8.12.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -8.12.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -8.12.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -8.12.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -8.12.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -8.12.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -8.12.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -8.12.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -8.12.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -8.12.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -8.12.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -8.12.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -8.12.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -8.12.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -8.12.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -8.12.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -8.12.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code -8.12.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -8.12.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -8.12.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -8.12.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -8.12.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. -8.12.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. -8.12.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. -8.12.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -8.12.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -8.12.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. -8.12.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -8.12.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -8.12.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -8.12.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -8.12.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -8.12.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -8.12.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request. -8.12.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -8.12.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -8.12.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request. -8.12.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -8.12.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -8.12.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. -8.12.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request. -8.12.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address. -8.12.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address. -8.12.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev+exp,true,user,user.email,keyword,extended,,,User email address. -8.12.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. -8.12.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. -8.12.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. -8.12.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." -8.12.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." -8.12.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -8.12.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address. -8.12.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group. -8.12.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -8.12.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -8.12.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -8.12.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -8.12.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -8.12.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -8.12.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -8.12.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -8.12.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -8.12.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." -8.12.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -8.12.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." -8.12.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -8.12.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. -8.12.0-dev+exp,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device. -8.12.0-dev+exp,true,volume,volume.default_access,keyword,extended,,,Bus type of the device. -8.12.0-dev+exp,true,volume,volume.device_name,keyword,extended,,,Device name of the volume. -8.12.0-dev+exp,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type. -8.12.0-dev+exp,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device. -8.12.0-dev+exp,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type. -8.12.0-dev+exp,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume. -8.12.0-dev+exp,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device. -8.12.0-dev+exp,true,volume,volume.product_id,keyword,extended,,,ProductID of the device. -8.12.0-dev+exp,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume. -8.12.0-dev+exp,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable. -8.12.0-dev+exp,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device. -8.12.0-dev+exp,true,volume,volume.size,long,extended,,,Size of the volume device in bytes. -8.12.0-dev+exp,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device. -8.12.0-dev+exp,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device. -8.12.0-dev+exp,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable. -8.12.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. -8.12.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. -8.12.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -8.12.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -8.12.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. -8.12.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. -8.12.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -8.12.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. -8.12.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. -8.12.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. -8.12.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. -8.12.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. -8.12.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. -8.12.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +9.0.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +9.0.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +9.0.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer. +9.0.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +9.0.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +9.0.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +9.0.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +9.0.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +9.0.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +9.0.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +9.0.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed. +9.0.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time. +9.0.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count." +9.0.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup. +9.0.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap. +9.0.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes +9.0.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics +9.0.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address. +9.0.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.0.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.0.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.0.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +9.0.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client. +9.0.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client. +9.0.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. +9.0.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +9.0.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port +9.0.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +9.0.0-dev+exp,true,client,client.port,long,core,,,Port of the client. +9.0.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +9.0.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +9.0.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address. +9.0.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +9.0.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +9.0.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." +9.0.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +9.0.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +9.0.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +9.0.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id. +9.0.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name. +9.0.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." +9.0.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +9.0.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine. +9.0.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +9.0.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id. +9.0.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name. +9.0.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider. +9.0.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." +9.0.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name. +9.0.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +9.0.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +9.0.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +9.0.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." +9.0.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name. +9.0.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id. +9.0.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name. +9.0.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." +9.0.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +9.0.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine. +9.0.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +9.0.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id. +9.0.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name. +9.0.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider. +9.0.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." +9.0.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name. +9.0.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +9.0.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +9.0.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +9.0.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id. +9.0.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on. +9.0.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +9.0.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags. +9.0.0-dev+exp,true,container,container.labels,object,extended,,,Image labels. +9.0.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1." +9.0.0-dev+exp,true,container,container.name,keyword,extended,,,Container name. +9.0.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +9.0.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +9.0.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +9.0.0-dev+exp,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode. +9.0.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data. +9.0.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data. +9.0.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream. +9.0.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address. +9.0.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.0.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.0.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.0.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +9.0.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination. +9.0.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination. +9.0.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. +9.0.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +9.0.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +9.0.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +9.0.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination. +9.0.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +9.0.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +9.0.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address. +9.0.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device. +9.0.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer. +9.0.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model. +9.0.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model. +9.0.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device +9.0.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.0.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.0.0-dev+exp,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.0.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.0.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.0.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.0.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.0.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.0.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.0.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.0.0-dev+exp,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.0.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +9.0.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +9.0.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +9.0.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash. +9.0.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +9.0.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.0.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash. +9.0.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +9.0.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +9.0.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.0.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.0.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.0.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.0.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.0.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.0.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.0.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.0.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.0.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.0.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file. +9.0.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name. +9.0.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.0.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers. +9.0.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +9.0.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. +9.0.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +9.0.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +9.0.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +9.0.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +9.0.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +9.0.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +9.0.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +9.0.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. +9.0.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +9.0.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +9.0.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +9.0.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +9.0.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +9.0.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +9.0.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +9.0.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments. +9.0.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension. +9.0.0-dev+exp,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.0.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash. +9.0.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash. +9.0.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash. +9.0.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash. +9.0.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash. +9.0.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.0.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash. +9.0.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file. +9.0.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file. +9.0.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size. +9.0.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient +9.0.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient +9.0.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message. +9.0.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered. +9.0.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message. +9.0.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address. +9.0.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source. +9.0.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header. +9.0.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed. +9.0.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to. +9.0.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender. +9.0.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message. +9.0.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message. +9.0.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient +9.0.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email. +9.0.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error. +9.0.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error. +9.0.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message. +9.0.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +9.0.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text. +9.0.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +9.0.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +9.0.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. +9.0.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +9.0.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event. +9.0.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +9.0.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +9.0.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +9.0.0-dev+exp,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed. +9.0.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +9.0.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +9.0.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +9.0.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +9.0.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +9.0.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +9.0.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +9.0.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event. +9.0.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +9.0.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +9.0.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +9.0.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +9.0.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event. +9.0.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event. +9.0.0-dev+exp,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed. +9.0.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone. +9.0.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +9.0.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +9.0.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function. +9.0.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution. +9.0.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function. +9.0.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function. +9.0.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc." +9.0.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution. +9.0.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function. +9.0.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed. +9.0.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +9.0.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.0.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.0.0-dev+exp,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.0.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.0.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.0.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.0.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.0.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.0.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.0.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.0.0-dev+exp,true,file,file.created,date,extended,,,File creation time. +9.0.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +9.0.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +9.0.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. +9.0.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +9.0.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.0.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.0.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.0.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date. +9.0.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types. +9.0.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.0.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.0.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.0.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.0.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.0.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.0.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.0.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.0.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header. +9.0.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.0.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file. +9.0.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.0.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.0.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name. +9.0.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.0.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.0.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type. +9.0.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.0.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.0.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list. +9.0.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.0.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type. +9.0.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.0.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.0.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +9.0.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. +9.0.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +9.0.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +9.0.0-dev+exp,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.0.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +9.0.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +9.0.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +9.0.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash. +9.0.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +9.0.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.0.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash. +9.0.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +9.0.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. +9.0.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. +9.0.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file. +9.0.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name. +9.0.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. +9.0.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. +9.0.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +9.0.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +9.0.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified. +9.0.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.0.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username. +9.0.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.0.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.0.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.0.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.0.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.0.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.0.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.0.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.0.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.0.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.0.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.0.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.0.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file. +9.0.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name. +9.0.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.0.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes. +9.0.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks. +9.0.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks. +9.0.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +9.0.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +9.0.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.0.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.0.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.0.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.0.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.0.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.0.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.0.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.0.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.0.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.0.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.0.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.0.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.0.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.0.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.0.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.0.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.0.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.0.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.0.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.0.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.0.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +9.0.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +9.0.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id +9.0.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +9.0.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +9.0.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +9.0.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +9.0.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host. +9.0.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id. +9.0.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses. +9.0.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. +9.0.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host. +9.0.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +9.0.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +9.0.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +9.0.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. +9.0.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.0.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.0.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.0.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.0.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.0.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.0.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.0.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.0.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.0.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode +9.0.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.0.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.0.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.0.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.0.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.0.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.0.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. +9.0.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +9.0.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +9.0.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. +9.0.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body. +9.0.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +9.0.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. +9.0.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method. +9.0.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +9.0.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. +9.0.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +9.0.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. +9.0.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body. +9.0.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +9.0.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +9.0.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +9.0.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version. +9.0.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +9.0.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event. +9.0.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +9.0.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event. +9.0.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +9.0.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +9.0.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata +9.0.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message. +9.0.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +9.0.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +9.0.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message. +9.0.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message. +9.0.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +9.0.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message. +9.0.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +9.0.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +9.0.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages. +9.0.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version. +9.0.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name. +9.0.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +9.0.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +9.0.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +9.0.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +9.0.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +9.0.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information +9.0.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.0.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.0.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +9.0.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +9.0.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name. +9.0.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +9.0.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +9.0.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.0.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.0.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information +9.0.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +9.0.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +9.0.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +9.0.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.0.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.0.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +9.0.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +9.0.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information +9.0.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +9.0.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +9.0.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +9.0.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.0.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.0.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +9.0.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +9.0.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer. +9.0.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +9.0.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.0.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.0.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.0.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.0.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.0.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.0.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.0.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.0.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.0.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +9.0.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +9.0.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +9.0.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +9.0.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version. +9.0.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action +9.0.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster. +9.0.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster. +9.0.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster. +9.0.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster. +9.0.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place. +9.0.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups). +9.0.0-dev+exp,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource. +9.0.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon. +9.0.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed. +9.0.0-dev+exp,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource. +9.0.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon. +9.0.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed. +9.0.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon. +9.0.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)." +9.0.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +9.0.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name. +9.0.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name. +9.0.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +9.0.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +9.0.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +9.0.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +9.0.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +9.0.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed. +9.0.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +9.0.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name +9.0.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +9.0.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +9.0.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes. +9.0.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type +9.0.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version +9.0.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.0.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. +9.0.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.0.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.0.0-dev+exp,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.0.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.0.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.0.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.0.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.0.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.0.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.0.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.0.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.0.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.0.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.0.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date. +9.0.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types. +9.0.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.0.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.0.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.0.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.0.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.0.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.0.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.0.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.0.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header. +9.0.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.0.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file. +9.0.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.0.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.0.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name. +9.0.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.0.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.0.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type. +9.0.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.0.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.0.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list. +9.0.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.0.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type. +9.0.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.0.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.0.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. +9.0.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.0.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array. +9.0.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source. +9.0.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader. +9.0.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.0.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name. +9.0.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name. +9.0.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id. +9.0.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id. +9.0.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev+exp,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. +9.0.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev+exp,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id. +9.0.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id. +9.0.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. +9.0.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device. +9.0.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.0.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.0.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id. +9.0.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.0.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.0.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings. +9.0.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process. +9.0.0-dev+exp,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.0.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array. +9.0.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.0.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name. +9.0.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name. +9.0.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id. +9.0.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. +9.0.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device. +9.0.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.0.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.0.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id. +9.0.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.0.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.0.0-dev+exp,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.0.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +9.0.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +9.0.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +9.0.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash. +9.0.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +9.0.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.0.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash. +9.0.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.0.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process. +9.0.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped. +9.0.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped. +9.0.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped. +9.0.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting." +9.0.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8. +9.0.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event. +9.0.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. +9.0.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken. +9.0.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. +9.0.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. +9.0.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file. +9.0.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name. +9.0.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. +9.0.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. +9.0.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name. +9.0.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name. +9.0.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.0.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +9.0.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.0.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.0.0-dev+exp,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.0.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.0.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.0.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.0.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.0.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.0.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.0.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.0.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.0.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.0.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.0.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date. +9.0.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types. +9.0.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.0.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.0.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.0.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.0.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.0.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.0.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.0.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.0.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header. +9.0.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.0.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file. +9.0.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.0.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.0.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name. +9.0.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.0.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.0.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type. +9.0.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.0.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.0.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list. +9.0.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.0.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type. +9.0.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.0.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.0.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. +9.0.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +9.0.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id. +9.0.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id. +9.0.0-dev+exp,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.0.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +9.0.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +9.0.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +9.0.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash. +9.0.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +9.0.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.0.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash. +9.0.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.0.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. +9.0.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. +9.0.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file. +9.0.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name. +9.0.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. +9.0.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. +9.0.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name. +9.0.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name. +9.0.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.0.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.0.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.0.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.0.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.0.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.0.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.0.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.0.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.0.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.0.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file. +9.0.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name. +9.0.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.0.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to. +9.0.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. +9.0.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. +9.0.0-dev+exp,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. +9.0.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +9.0.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. +9.0.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title. +9.0.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title. +9.0.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device. +9.0.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.0.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.0.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +9.0.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.parent.vpid,long,core,,4242,Virtual process id. +9.0.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.0.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.0.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.0.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.0.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.0.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.0.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.0.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.0.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.0.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.0.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.0.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.0.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file. +9.0.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name. +9.0.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.0.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to. +9.0.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. +9.0.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.0.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array. +9.0.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.0.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array. +9.0.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.0.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name. +9.0.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name. +9.0.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id. +9.0.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id. +9.0.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev+exp,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. +9.0.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev+exp,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id. +9.0.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id. +9.0.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. +9.0.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device. +9.0.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.0.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.0.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id. +9.0.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.0.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.0.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. +9.0.0-dev+exp,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. +9.0.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID. +9.0.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. +9.0.0-dev+exp,true,process,process.title,keyword,extended,,,Process title. +9.0.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title. +9.0.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device. +9.0.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.0.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.0.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width +9.0.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height +9.0.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +9.0.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,process,process.vpid,long,core,,4242,Virtual process id. +9.0.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.0.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.0.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +9.0.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +9.0.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +9.0.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +9.0.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +9.0.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +9.0.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +9.0.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +9.0.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +9.0.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +9.0.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event. +9.0.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +9.0.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +9.0.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +9.0.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID +9.0.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +9.0.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +9.0.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +9.0.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +9.0.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +9.0.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version +9.0.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address. +9.0.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.0.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.0.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.0.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +9.0.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server. +9.0.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server. +9.0.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. +9.0.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip +9.0.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port +9.0.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +9.0.0-dev+exp,true,server,server.port,long,core,,,Port of the server. +9.0.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +9.0.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +9.0.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address. +9.0.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service. +9.0.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service. +9.0.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +9.0.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +9.0.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +9.0.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +9.0.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. +9.0.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. +9.0.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service. +9.0.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service. +9.0.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +9.0.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +9.0.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service. +9.0.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node. +9.0.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. +9.0.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. +9.0.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service. +9.0.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service. +9.0.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service. +9.0.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service. +9.0.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service. +9.0.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service. +9.0.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +9.0.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +9.0.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service. +9.0.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node. +9.0.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. +9.0.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. +9.0.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service. +9.0.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service. +9.0.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service. +9.0.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +9.0.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service. +9.0.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address. +9.0.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.0.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.0.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.0.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +9.0.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source. +9.0.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source. +9.0.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. +9.0.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip +9.0.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port +9.0.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +9.0.0-dev+exp,true,source,source.port,long,core,,,Port of the source. +9.0.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +9.0.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +9.0.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address. +9.0.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +9.0.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.0.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.0.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. +9.0.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value +9.0.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field +9.0.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier +9.0.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index +9.0.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match +9.0.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match +9.0.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID. +9.0.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed. +9.0.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed. +9.0.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed. +9.0.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +9.0.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. +9.0.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. +9.0.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. +9.0.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. +9.0.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.0.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.0.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.0.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating +9.0.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +9.0.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +9.0.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. +9.0.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.0.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time. +9.0.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +9.0.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +9.0.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. +9.0.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.0.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.0.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +9.0.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. +9.0.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +9.0.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +9.0.0-dev+exp,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.0.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash. +9.0.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. +9.0.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. +9.0.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. +9.0.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. +9.0.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.0.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. +9.0.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +9.0.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +9.0.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +9.0.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. +9.0.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.0.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. +9.0.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.0.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. +9.0.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks. +9.0.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. +9.0.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +9.0.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.0.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. +9.0.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +9.0.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev+exp,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator +9.0.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +9.0.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +9.0.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking +9.0.0-dev+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version +9.0.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +9.0.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name +9.0.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port +9.0.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +9.0.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +9.0.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +9.0.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +9.0.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +9.0.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +9.0.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +9.0.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +9.0.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. +9.0.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics +9.0.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed +9.0.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +9.0.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. +9.0.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +9.0.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +9.0.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.0.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.0.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.0.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.0.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request. +9.0.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +9.0.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +9.0.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request. +9.0.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +9.0.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +9.0.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +9.0.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request. +9.0.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.0.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.0.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.0.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.0.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.0.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.0.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.0.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. +9.0.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software +9.0.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software +9.0.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. +9.0.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. +9.0.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL. +9.0.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type. +9.0.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +9.0.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +9.0.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +9.0.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +9.0.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +9.0.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name. +9.0.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +9.0.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +9.0.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +9.0.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name. +9.0.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +9.0.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +9.0.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +9.0.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +9.0.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +9.0.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +9.0.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +9.0.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +9.0.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +9.0.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +9.0.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +9.0.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +9.0.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +9.0.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +9.0.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.0.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.0.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.0.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.0.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.0.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.0.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.0.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.0.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.0.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.0.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.0.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.0.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.0.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.0.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.0.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.0.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.0.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.0.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.0.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.0.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.0.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +9.0.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +9.0.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +9.0.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +9.0.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +9.0.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +9.0.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +9.0.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +9.0.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +9.0.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +9.0.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +9.0.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +9.0.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +9.0.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +9.0.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +9.0.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.0.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.0.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.0.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.0.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.0.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.0.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.0.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.0.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.0.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.0.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.0.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.0.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.0.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.0.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.0.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.0.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.0.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.0.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.0.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.0.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.0.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +9.0.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +9.0.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +9.0.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +9.0.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +9.0.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. +9.0.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +9.0.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +9.0.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.0.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.0.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.0.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.0.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request. +9.0.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +9.0.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +9.0.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request. +9.0.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +9.0.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +9.0.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +9.0.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request. +9.0.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address. +9.0.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address. +9.0.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev+exp,true,user,user.email,keyword,extended,,,User email address. +9.0.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.0.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.0.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.0.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.0.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.0.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.0.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address. +9.0.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group. +9.0.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +9.0.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +9.0.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +9.0.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +9.0.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.0.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.0.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.0.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.0.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.0.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.0.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.0.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.0.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.0.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +9.0.0-dev+exp,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device. +9.0.0-dev+exp,true,volume,volume.default_access,keyword,extended,,,Bus type of the device. +9.0.0-dev+exp,true,volume,volume.device_name,keyword,extended,,,Device name of the volume. +9.0.0-dev+exp,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type. +9.0.0-dev+exp,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device. +9.0.0-dev+exp,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type. +9.0.0-dev+exp,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume. +9.0.0-dev+exp,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device. +9.0.0-dev+exp,true,volume,volume.product_id,keyword,extended,,,ProductID of the device. +9.0.0-dev+exp,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume. +9.0.0-dev+exp,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable. +9.0.0-dev+exp,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device. +9.0.0-dev+exp,true,volume,volume.size,long,extended,,,Size of the volume device in bytes. +9.0.0-dev+exp,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device. +9.0.0-dev+exp,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device. +9.0.0-dev+exp,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable. +9.0.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +9.0.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +9.0.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +9.0.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +9.0.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +9.0.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +9.0.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +9.0.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +9.0.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +9.0.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +9.0.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +9.0.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +9.0.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +9.0.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/experimental/generated/elasticsearch/composable/component/agent.json b/experimental/generated/elasticsearch/composable/component/agent.json index 557ba8eb6e..e1b68bc031 100644 --- a/experimental/generated/elasticsearch/composable/component/agent.json +++ b/experimental/generated/elasticsearch/composable/component/agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/base.json b/experimental/generated/elasticsearch/composable/component/base.json index aaf9afefb0..8b0e484962 100644 --- a/experimental/generated/elasticsearch/composable/component/base.json +++ b/experimental/generated/elasticsearch/composable/component/base.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/cgroup.json b/experimental/generated/elasticsearch/composable/component/cgroup.json index 941bb2191a..092d3a33e7 100644 --- a/experimental/generated/elasticsearch/composable/component/cgroup.json +++ b/experimental/generated/elasticsearch/composable/component/cgroup.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cgroup.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/client.json b/experimental/generated/elasticsearch/composable/component/client.json index 743a9d3dc2..bd06c6abce 100644 --- a/experimental/generated/elasticsearch/composable/component/client.json +++ b/experimental/generated/elasticsearch/composable/component/client.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json index e8ce7e6399..28e968adb8 100644 --- a/experimental/generated/elasticsearch/composable/component/cloud.json +++ b/experimental/generated/elasticsearch/composable/component/cloud.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/container.json b/experimental/generated/elasticsearch/composable/component/container.json index 5a939273fa..9f430ba42c 100644 --- a/experimental/generated/elasticsearch/composable/component/container.json +++ b/experimental/generated/elasticsearch/composable/component/container.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/data_stream.json b/experimental/generated/elasticsearch/composable/component/data_stream.json index 602c2f81d3..9cc522bd77 100644 --- a/experimental/generated/elasticsearch/composable/component/data_stream.json +++ b/experimental/generated/elasticsearch/composable/component/data_stream.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/destination.json b/experimental/generated/elasticsearch/composable/component/destination.json index a332a95269..5c3e47f68d 100644 --- a/experimental/generated/elasticsearch/composable/component/destination.json +++ b/experimental/generated/elasticsearch/composable/component/destination.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/device.json b/experimental/generated/elasticsearch/composable/component/device.json index 215d046175..711b131438 100644 --- a/experimental/generated/elasticsearch/composable/component/device.json +++ b/experimental/generated/elasticsearch/composable/component/device.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json index e59687764d..7f09c08d43 100644 --- a/experimental/generated/elasticsearch/composable/component/dll.json +++ b/experimental/generated/elasticsearch/composable/component/dll.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/dns.json b/experimental/generated/elasticsearch/composable/component/dns.json index 4ed0861343..23c6eb2aea 100644 --- a/experimental/generated/elasticsearch/composable/component/dns.json +++ b/experimental/generated/elasticsearch/composable/component/dns.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/ecs.json b/experimental/generated/elasticsearch/composable/component/ecs.json index a4e6e32eff..fb53443d7f 100644 --- a/experimental/generated/elasticsearch/composable/component/ecs.json +++ b/experimental/generated/elasticsearch/composable/component/ecs.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/email.json b/experimental/generated/elasticsearch/composable/component/email.json index 5de733e5f7..e79c0bc54b 100644 --- a/experimental/generated/elasticsearch/composable/component/email.json +++ b/experimental/generated/elasticsearch/composable/component/email.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/error.json b/experimental/generated/elasticsearch/composable/component/error.json index 81365f394c..1ffda6da4d 100644 --- a/experimental/generated/elasticsearch/composable/component/error.json +++ b/experimental/generated/elasticsearch/composable/component/error.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/event.json b/experimental/generated/elasticsearch/composable/component/event.json index b26490b26e..9b5934bfb1 100644 --- a/experimental/generated/elasticsearch/composable/component/event.json +++ b/experimental/generated/elasticsearch/composable/component/event.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/faas.json b/experimental/generated/elasticsearch/composable/component/faas.json index f87ec45729..37adc56cea 100644 --- a/experimental/generated/elasticsearch/composable/component/faas.json +++ b/experimental/generated/elasticsearch/composable/component/faas.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json index 175a0cbab7..23726f8e0d 100644 --- a/experimental/generated/elasticsearch/composable/component/file.json +++ b/experimental/generated/elasticsearch/composable/component/file.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/group.json b/experimental/generated/elasticsearch/composable/component/group.json index d553ed9148..2d1d44be2a 100644 --- a/experimental/generated/elasticsearch/composable/component/group.json +++ b/experimental/generated/elasticsearch/composable/component/group.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json index b62d228655..e70d5efb99 100644 --- a/experimental/generated/elasticsearch/composable/component/host.json +++ b/experimental/generated/elasticsearch/composable/component/host.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/http.json b/experimental/generated/elasticsearch/composable/component/http.json index cd3cefba64..4d156eab39 100644 --- a/experimental/generated/elasticsearch/composable/component/http.json +++ b/experimental/generated/elasticsearch/composable/component/http.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/log.json b/experimental/generated/elasticsearch/composable/component/log.json index 6aae5a04e0..dfac9cfa24 100644 --- a/experimental/generated/elasticsearch/composable/component/log.json +++ b/experimental/generated/elasticsearch/composable/component/log.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/network.json b/experimental/generated/elasticsearch/composable/component/network.json index b170d396f5..cb42c402ce 100644 --- a/experimental/generated/elasticsearch/composable/component/network.json +++ b/experimental/generated/elasticsearch/composable/component/network.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/observer.json b/experimental/generated/elasticsearch/composable/component/observer.json index 80f43d522d..bcc07801e6 100644 --- a/experimental/generated/elasticsearch/composable/component/observer.json +++ b/experimental/generated/elasticsearch/composable/component/observer.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/orchestrator.json b/experimental/generated/elasticsearch/composable/component/orchestrator.json index f1eedca0d1..8c159f269f 100644 --- a/experimental/generated/elasticsearch/composable/component/orchestrator.json +++ b/experimental/generated/elasticsearch/composable/component/orchestrator.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/organization.json b/experimental/generated/elasticsearch/composable/component/organization.json index 49962ddcb3..d4bd623bbb 100644 --- a/experimental/generated/elasticsearch/composable/component/organization.json +++ b/experimental/generated/elasticsearch/composable/component/organization.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/package.json b/experimental/generated/elasticsearch/composable/component/package.json index d7aa066318..2f8407105b 100644 --- a/experimental/generated/elasticsearch/composable/component/package.json +++ b/experimental/generated/elasticsearch/composable/component/package.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json index 76b8983a3b..1f0700dc05 100644 --- a/experimental/generated/elasticsearch/composable/component/process.json +++ b/experimental/generated/elasticsearch/composable/component/process.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/registry.json b/experimental/generated/elasticsearch/composable/component/registry.json index 71753df64d..84a720c5c9 100644 --- a/experimental/generated/elasticsearch/composable/component/registry.json +++ b/experimental/generated/elasticsearch/composable/component/registry.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/related.json b/experimental/generated/elasticsearch/composable/component/related.json index 529fa9a356..fb793ec7f1 100644 --- a/experimental/generated/elasticsearch/composable/component/related.json +++ b/experimental/generated/elasticsearch/composable/component/related.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/rule.json b/experimental/generated/elasticsearch/composable/component/rule.json index a614c71927..a60f42d277 100644 --- a/experimental/generated/elasticsearch/composable/component/rule.json +++ b/experimental/generated/elasticsearch/composable/component/rule.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/server.json b/experimental/generated/elasticsearch/composable/component/server.json index 102722875f..77be2f4c04 100644 --- a/experimental/generated/elasticsearch/composable/component/server.json +++ b/experimental/generated/elasticsearch/composable/component/server.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json index 93a1f7fca9..7cbe9ebd19 100644 --- a/experimental/generated/elasticsearch/composable/component/service.json +++ b/experimental/generated/elasticsearch/composable/component/service.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/source.json b/experimental/generated/elasticsearch/composable/component/source.json index a17ed2a0a8..7e8dca104c 100644 --- a/experimental/generated/elasticsearch/composable/component/source.json +++ b/experimental/generated/elasticsearch/composable/component/source.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json index 32056d1507..1e69b2af2b 100644 --- a/experimental/generated/elasticsearch/composable/component/threat.json +++ b/experimental/generated/elasticsearch/composable/component/threat.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/tls.json b/experimental/generated/elasticsearch/composable/component/tls.json index 5ce583f817..4630b45bba 100644 --- a/experimental/generated/elasticsearch/composable/component/tls.json +++ b/experimental/generated/elasticsearch/composable/component/tls.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/tracing.json b/experimental/generated/elasticsearch/composable/component/tracing.json index b3485b8808..95814055f4 100644 --- a/experimental/generated/elasticsearch/composable/component/tracing.json +++ b/experimental/generated/elasticsearch/composable/component/tracing.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/url.json b/experimental/generated/elasticsearch/composable/component/url.json index e2f6efe932..c227d871a7 100644 --- a/experimental/generated/elasticsearch/composable/component/url.json +++ b/experimental/generated/elasticsearch/composable/component/url.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json index a2e9f72723..540d6558ed 100644 --- a/experimental/generated/elasticsearch/composable/component/user.json +++ b/experimental/generated/elasticsearch/composable/component/user.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/user_agent.json b/experimental/generated/elasticsearch/composable/component/user_agent.json index f95f4f22a1..165d8bfd6e 100644 --- a/experimental/generated/elasticsearch/composable/component/user_agent.json +++ b/experimental/generated/elasticsearch/composable/component/user_agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/volume.json b/experimental/generated/elasticsearch/composable/component/volume.json index a53f3b65d8..e3802fa838 100644 --- a/experimental/generated/elasticsearch/composable/component/volume.json +++ b/experimental/generated/elasticsearch/composable/component/volume.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-volume.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/vulnerability.json b/experimental/generated/elasticsearch/composable/component/vulnerability.json index 395e9a6cbe..e1431bfef4 100644 --- a/experimental/generated/elasticsearch/composable/component/vulnerability.json +++ b/experimental/generated/elasticsearch/composable/component/vulnerability.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json index 5243ee3ba5..079b07510c 100644 --- a/experimental/generated/elasticsearch/composable/template.json +++ b/experimental/generated/elasticsearch/composable/template.json @@ -1,50 +1,50 @@ { "_meta": { "description": "Sample composable template that includes all ECS fields", - "ecs_version": "8.12.0-dev+exp" + "ecs_version": "9.0.0-dev+exp" }, "composed_of": [ - "ecs_8.12.0-dev-exp_cgroup", - "ecs_8.12.0-dev-exp_base", - "ecs_8.12.0-dev-exp_agent", - "ecs_8.12.0-dev-exp_client", - "ecs_8.12.0-dev-exp_cloud", - "ecs_8.12.0-dev-exp_container", - "ecs_8.12.0-dev-exp_data_stream", - "ecs_8.12.0-dev-exp_destination", - "ecs_8.12.0-dev-exp_device", - "ecs_8.12.0-dev-exp_dll", - "ecs_8.12.0-dev-exp_dns", - "ecs_8.12.0-dev-exp_ecs", - "ecs_8.12.0-dev-exp_email", - "ecs_8.12.0-dev-exp_error", - "ecs_8.12.0-dev-exp_event", - "ecs_8.12.0-dev-exp_faas", - "ecs_8.12.0-dev-exp_file", - "ecs_8.12.0-dev-exp_group", - "ecs_8.12.0-dev-exp_host", - "ecs_8.12.0-dev-exp_http", - "ecs_8.12.0-dev-exp_log", - "ecs_8.12.0-dev-exp_network", - "ecs_8.12.0-dev-exp_observer", - "ecs_8.12.0-dev-exp_orchestrator", - "ecs_8.12.0-dev-exp_organization", - "ecs_8.12.0-dev-exp_package", - "ecs_8.12.0-dev-exp_process", - "ecs_8.12.0-dev-exp_registry", - "ecs_8.12.0-dev-exp_related", - "ecs_8.12.0-dev-exp_rule", - "ecs_8.12.0-dev-exp_server", - "ecs_8.12.0-dev-exp_service", - "ecs_8.12.0-dev-exp_source", - "ecs_8.12.0-dev-exp_threat", - "ecs_8.12.0-dev-exp_tls", - "ecs_8.12.0-dev-exp_tracing", - "ecs_8.12.0-dev-exp_url", - "ecs_8.12.0-dev-exp_user_agent", - "ecs_8.12.0-dev-exp_user", - "ecs_8.12.0-dev-exp_volume", - "ecs_8.12.0-dev-exp_vulnerability" + "ecs_9.0.0-dev-exp_cgroup", + "ecs_9.0.0-dev-exp_base", + "ecs_9.0.0-dev-exp_agent", + "ecs_9.0.0-dev-exp_client", + "ecs_9.0.0-dev-exp_cloud", + "ecs_9.0.0-dev-exp_container", + "ecs_9.0.0-dev-exp_data_stream", + "ecs_9.0.0-dev-exp_destination", + "ecs_9.0.0-dev-exp_device", + "ecs_9.0.0-dev-exp_dll", + "ecs_9.0.0-dev-exp_dns", + "ecs_9.0.0-dev-exp_ecs", + "ecs_9.0.0-dev-exp_email", + "ecs_9.0.0-dev-exp_error", + "ecs_9.0.0-dev-exp_event", + "ecs_9.0.0-dev-exp_faas", + "ecs_9.0.0-dev-exp_file", + "ecs_9.0.0-dev-exp_group", + "ecs_9.0.0-dev-exp_host", + "ecs_9.0.0-dev-exp_http", + "ecs_9.0.0-dev-exp_log", + "ecs_9.0.0-dev-exp_network", + "ecs_9.0.0-dev-exp_observer", + "ecs_9.0.0-dev-exp_orchestrator", + "ecs_9.0.0-dev-exp_organization", + "ecs_9.0.0-dev-exp_package", + "ecs_9.0.0-dev-exp_process", + "ecs_9.0.0-dev-exp_registry", + "ecs_9.0.0-dev-exp_related", + "ecs_9.0.0-dev-exp_rule", + "ecs_9.0.0-dev-exp_server", + "ecs_9.0.0-dev-exp_service", + "ecs_9.0.0-dev-exp_source", + "ecs_9.0.0-dev-exp_threat", + "ecs_9.0.0-dev-exp_tls", + "ecs_9.0.0-dev-exp_tracing", + "ecs_9.0.0-dev-exp_url", + "ecs_9.0.0-dev-exp_user_agent", + "ecs_9.0.0-dev-exp_user", + "ecs_9.0.0-dev-exp_volume", + "ecs_9.0.0-dev-exp_vulnerability" ], "index_patterns": [ "try-ecs-*" diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index bc7f446065..13003e6b81 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -4,7 +4,7 @@ ], "mappings": { "_meta": { - "version": "8.12.0-dev+exp" + "version": "9.0.0-dev+exp" }, "date_detection": false, "dynamic_templates": [ diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index fc1cab5897..05a7e4da52 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 8.12.0-dev. +# based on ECS version 9.0.0-dev. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 8af3fac81a..177908f017 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -1,1781 +1,1781 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -8.12.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -8.12.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -8.12.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer. -8.12.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -8.12.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -8.12.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -8.12.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -8.12.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -8.12.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -8.12.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -8.12.0-dev,true,client,client.address,keyword,extended,,,Client network address. -8.12.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -8.12.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. -8.12.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -8.12.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -8.12.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client. -8.12.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev,true,client,client.ip,ip,core,,,IP address of the client. -8.12.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. -8.12.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -8.12.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port -8.12.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -8.12.0-dev,true,client,client.port,long,core,,,Port of the client. -8.12.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -8.12.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. -8.12.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev,true,client,client.user.email,keyword,extended,,,User email address. -8.12.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. -8.12.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. -8.12.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." -8.12.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -8.12.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. -8.12.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -8.12.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id. -8.12.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name. -8.12.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." -8.12.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -8.12.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine. -8.12.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -8.12.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id. -8.12.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name. -8.12.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider. -8.12.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." -8.12.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name. -8.12.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. -8.12.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. -8.12.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. -8.12.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." -8.12.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name. -8.12.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id. -8.12.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name. -8.12.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." -8.12.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -8.12.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine. -8.12.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -8.12.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id. -8.12.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name. -8.12.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider. -8.12.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." -8.12.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name. -8.12.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." -8.12.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks. -8.12.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks. -8.12.0-dev,true,container,container.id,keyword,core,,,Unique container id. -8.12.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on. -8.12.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. -8.12.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. -8.12.0-dev,true,container,container.labels,object,extended,,,Image labels. -8.12.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1." -8.12.0-dev,true,container,container.name,keyword,extended,,,Container name. -8.12.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. -8.12.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. -8.12.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. -8.12.0-dev,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode. -8.12.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data. -8.12.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data. -8.12.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream. -8.12.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. -8.12.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -8.12.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. -8.12.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -8.12.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -8.12.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination. -8.12.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. -8.12.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. -8.12.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -8.12.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -8.12.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -8.12.0-dev,true,destination,destination.port,long,core,,,Port of the destination. -8.12.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -8.12.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. -8.12.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address. -8.12.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device. -8.12.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer. -8.12.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model. -8.12.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model. -8.12.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device -8.12.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -8.12.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -8.12.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -8.12.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -8.12.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -8.12.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -8.12.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -8.12.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -8.12.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -8.12.0-dev,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -8.12.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. -8.12.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. -8.12.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. -8.12.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash. -8.12.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. -8.12.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. -8.12.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash. -8.12.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. -8.12.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. -8.12.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.12.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.12.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.12.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.12.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -8.12.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.12.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -8.12.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.12.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -8.12.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.12.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file. -8.12.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name. -8.12.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size. -8.12.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. -8.12.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -8.12.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. -8.12.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. -8.12.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. -8.12.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -8.12.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. -8.12.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -8.12.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. -8.12.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -8.12.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. -8.12.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." -8.12.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. -8.12.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -8.12.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data -8.12.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. -8.12.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." -8.12.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -8.12.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments. -8.12.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension. -8.12.0-dev,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -8.12.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash. -8.12.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash. -8.12.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash. -8.12.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash. -8.12.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash. -8.12.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -8.12.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash. -8.12.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file. -8.12.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file. -8.12.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size. -8.12.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient -8.12.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient -8.12.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message. -8.12.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered. -8.12.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message. -8.12.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address. -8.12.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source. -8.12.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header. -8.12.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed. -8.12.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to. -8.12.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender. -8.12.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message. -8.12.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message. -8.12.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient -8.12.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email. -8.12.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. -8.12.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. -8.12.0-dev,true,error,error.message,match_only_text,core,,,Error message. -8.12.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. -8.12.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text. -8.12.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -8.12.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -8.12.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. -8.12.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -8.12.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. -8.12.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -8.12.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -8.12.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -8.12.0-dev,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed. -8.12.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -8.12.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -8.12.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -8.12.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -8.12.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -8.12.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -8.12.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -8.12.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. -8.12.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -8.12.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -8.12.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -8.12.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -8.12.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. -8.12.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. -8.12.0-dev,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed. -8.12.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. -8.12.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -8.12.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -8.12.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function. -8.12.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution. -8.12.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function. -8.12.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function. -8.12.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc." -8.12.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution. -8.12.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function. -8.12.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. -8.12.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -8.12.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -8.12.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -8.12.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -8.12.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -8.12.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -8.12.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -8.12.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -8.12.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -8.12.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -8.12.0-dev,true,file,file.created,date,extended,,,File creation time. -8.12.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. -8.12.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -8.12.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. -8.12.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -8.12.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -8.12.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -8.12.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -8.12.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date. -8.12.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types. -8.12.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -8.12.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -8.12.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file. -8.12.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header. -8.12.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -8.12.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -8.12.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -8.12.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file. -8.12.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header. -8.12.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -8.12.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file. -8.12.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -8.12.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -8.12.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name. -8.12.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -8.12.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -8.12.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type. -8.12.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -8.12.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -8.12.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list. -8.12.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -8.12.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type. -8.12.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -8.12.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -8.12.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -8.12.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. -8.12.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -8.12.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. -8.12.0-dev,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -8.12.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. -8.12.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. -8.12.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. -8.12.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash. -8.12.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. -8.12.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -8.12.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash. -8.12.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -8.12.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. -8.12.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. -8.12.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file. -8.12.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name. -8.12.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. -8.12.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. -8.12.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -8.12.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. -8.12.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. -8.12.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -8.12.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. -8.12.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -8.12.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -8.12.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.12.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.12.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.12.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.12.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -8.12.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.12.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -8.12.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.12.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -8.12.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.12.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file. -8.12.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name. -8.12.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size. -8.12.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. -8.12.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks. -8.12.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks. -8.12.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -8.12.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -8.12.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -8.12.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -8.12.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -8.12.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -8.12.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -8.12.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -8.12.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -8.12.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -8.12.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -8.12.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -8.12.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -8.12.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -8.12.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -8.12.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -8.12.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -8.12.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -8.12.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code -8.12.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -8.12.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -8.12.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -8.12.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -8.12.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. -8.12.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,group,group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. -8.12.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id -8.12.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." -8.12.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. -8.12.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. -8.12.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -8.12.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host. -8.12.0-dev,true,host,host.id,keyword,core,,,Unique host id. -8.12.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. -8.12.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. -8.12.0-dev,true,host,host.name,keyword,core,,,Name of the host. -8.12.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. -8.12.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. -8.12.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. -8.12.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. -8.12.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -8.12.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -8.12.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -8.12.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -8.12.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -8.12.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." -8.12.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -8.12.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." -8.12.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -8.12.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode -8.12.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. -8.12.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. -8.12.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. -8.12.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." -8.12.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." -8.12.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -8.12.0-dev,true,host,host.type,keyword,core,,,Type of host. -8.12.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. -8.12.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -8.12.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. -8.12.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body. -8.12.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -8.12.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. -8.12.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method. -8.12.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -8.12.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. -8.12.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -8.12.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. -8.12.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body. -8.12.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -8.12.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. -8.12.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -8.12.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. -8.12.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. -8.12.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. -8.12.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -8.12.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event. -8.12.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. -8.12.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. -8.12.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata -8.12.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message. -8.12.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. -8.12.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. -8.12.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message. -8.12.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message. -8.12.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. -8.12.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message. -8.12.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. -8.12.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. -8.12.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages. -8.12.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version. -8.12.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. -8.12.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -8.12.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -8.12.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -8.12.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -8.12.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -8.12.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information -8.12.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -8.12.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -8.12.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -8.12.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -8.12.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name. -8.12.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -8.12.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -8.12.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -8.12.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -8.12.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information -8.12.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias -8.12.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID -8.12.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name -8.12.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -8.12.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -8.12.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone -8.12.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. -8.12.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information -8.12.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias -8.12.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID -8.12.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name -8.12.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -8.12.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -8.12.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone -8.12.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -8.12.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer. -8.12.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -8.12.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -8.12.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -8.12.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -8.12.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -8.12.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -8.12.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." -8.12.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -8.12.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." -8.12.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -8.12.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. -8.12.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. -8.12.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. -8.12.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. -8.12.0-dev,true,observer,observer.version,keyword,core,,,Observer version. -8.12.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action -8.12.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster. -8.12.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster. -8.12.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster. -8.12.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster. -8.12.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place. -8.12.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups). -8.12.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource. -8.12.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon. -8.12.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed. -8.12.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource. -8.12.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon. -8.12.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed. -8.12.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon. -8.12.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)." -8.12.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -8.12.0-dev,true,organization,organization.name,keyword,extended,,,Organization name. -8.12.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name. -8.12.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. -8.12.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -8.12.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -8.12.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. -8.12.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." -8.12.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. -8.12.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license -8.12.0-dev,true,package,package.name,keyword,extended,,go,Package name -8.12.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -8.12.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL -8.12.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. -8.12.0-dev,true,package,package.type,keyword,extended,,rpm,Package type -8.12.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version -8.12.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -8.12.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. -8.12.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -8.12.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -8.12.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -8.12.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -8.12.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -8.12.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -8.12.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -8.12.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -8.12.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -8.12.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -8.12.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -8.12.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -8.12.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date. -8.12.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types. -8.12.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -8.12.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -8.12.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file. -8.12.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header. -8.12.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -8.12.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -8.12.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -8.12.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file. -8.12.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header. -8.12.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -8.12.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file. -8.12.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -8.12.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags. -8.12.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name. -8.12.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -8.12.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -8.12.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type. -8.12.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -8.12.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -8.12.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list. -8.12.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections. -8.12.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type. -8.12.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -8.12.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -8.12.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. -8.12.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -8.12.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array. -8.12.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source. -8.12.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader. -8.12.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -8.12.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name. -8.12.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name. -8.12.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id. -8.12.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id. -8.12.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. -8.12.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id. -8.12.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id. -8.12.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. -8.12.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device. -8.12.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. -8.12.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -8.12.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id. -8.12.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. -8.12.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -8.12.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings. -8.12.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. -8.12.0-dev,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -8.12.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array. -8.12.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -8.12.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name. -8.12.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name. -8.12.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id. -8.12.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. -8.12.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device. -8.12.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. -8.12.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -8.12.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id. -8.12.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. -8.12.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -8.12.0-dev,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -8.12.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. -8.12.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. -8.12.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. -8.12.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash. -8.12.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -8.12.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. -8.12.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash. -8.12.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -8.12.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process. -8.12.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped. -8.12.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped. -8.12.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped. -8.12.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting." -8.12.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8. -8.12.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event. -8.12.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. -8.12.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken. -8.12.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. -8.12.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. -8.12.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file. -8.12.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name. -8.12.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. -8.12.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. -8.12.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. -8.12.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name. -8.12.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -8.12.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -8.12.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -8.12.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -8.12.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -8.12.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -8.12.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -8.12.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -8.12.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -8.12.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -8.12.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -8.12.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -8.12.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -8.12.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -8.12.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date. -8.12.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types. -8.12.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -8.12.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -8.12.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file. -8.12.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header. -8.12.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -8.12.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -8.12.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -8.12.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file. -8.12.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header. -8.12.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -8.12.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file. -8.12.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -8.12.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags. -8.12.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name. -8.12.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -8.12.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -8.12.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type. -8.12.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -8.12.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -8.12.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list. -8.12.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections. -8.12.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type. -8.12.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -8.12.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -8.12.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. -8.12.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. -8.12.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id. -8.12.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id. -8.12.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -8.12.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. -8.12.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. -8.12.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. -8.12.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash. -8.12.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -8.12.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. -8.12.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash. -8.12.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -8.12.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. -8.12.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. -8.12.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file. -8.12.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name. -8.12.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. -8.12.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. -8.12.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name. -8.12.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name. -8.12.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.12.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.12.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.12.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.12.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -8.12.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.12.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -8.12.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.12.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -8.12.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.12.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file. -8.12.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name. -8.12.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size. -8.12.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to. -8.12.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. -8.12.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. -8.12.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. -8.12.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -8.12.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. -8.12.0-dev,true,process,process.parent.title,keyword,extended,,,Process title. -8.12.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title. -8.12.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device. -8.12.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number. -8.12.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -8.12.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -8.12.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id. -8.12.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. -8.12.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -8.12.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.12.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.12.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.12.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.12.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -8.12.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.12.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -8.12.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.12.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -8.12.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.12.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file. -8.12.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name. -8.12.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size. -8.12.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to. -8.12.0-dev,true,process,process.pid,long,core,,4242,Process id. -8.12.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -8.12.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array. -8.12.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -8.12.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array. -8.12.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -8.12.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -8.12.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -8.12.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name. -8.12.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name. -8.12.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id. -8.12.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -8.12.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id. -8.12.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. -8.12.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id. -8.12.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id. -8.12.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. -8.12.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device. -8.12.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. -8.12.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -8.12.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id. -8.12.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. -8.12.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -8.12.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -8.12.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. -8.12.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. -8.12.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. -8.12.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. -8.12.0-dev,true,process,process.title,keyword,extended,,,Process title. -8.12.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title. -8.12.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device. -8.12.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number. -8.12.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -8.12.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width -8.12.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height -8.12.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -8.12.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id. -8.12.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. -8.12.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -8.12.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -8.12.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -8.12.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -8.12.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -8.12.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -8.12.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -8.12.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. -8.12.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. -8.12.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. -8.12.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -8.12.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event. -8.12.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author -8.12.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category -8.12.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description -8.12.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID -8.12.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license -8.12.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name -8.12.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -8.12.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset -8.12.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID -8.12.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version -8.12.0-dev,true,server,server.address,keyword,extended,,,Server network address. -8.12.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -8.12.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. -8.12.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -8.12.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -8.12.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server. -8.12.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev,true,server,server.ip,ip,core,,,IP address of the server. -8.12.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. -8.12.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip -8.12.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port -8.12.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -8.12.0-dev,true,server,server.port,long,core,,,Port of the server. -8.12.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -8.12.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. -8.12.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev,true,server,server.user.email,keyword,extended,,,User email address. -8.12.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service. -8.12.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service. -8.12.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -8.12.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -8.12.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. -8.12.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. -8.12.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. -8.12.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. -8.12.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service. -8.12.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service. -8.12.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -8.12.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -8.12.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service. -8.12.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node. -8.12.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. -8.12.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. -8.12.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service. -8.12.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service. -8.12.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service. -8.12.0-dev,true,service,service.state,keyword,core,,,Current state of the service. -8.12.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service. -8.12.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service. -8.12.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -8.12.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -8.12.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service. -8.12.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node. -8.12.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. -8.12.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. -8.12.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service. -8.12.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service. -8.12.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service. -8.12.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. -8.12.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. -8.12.0-dev,true,source,source.address,keyword,extended,,,Source network address. -8.12.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -8.12.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. -8.12.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -8.12.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -8.12.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source. -8.12.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev,true,source,source.ip,ip,core,,,IP address of the source. -8.12.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. -8.12.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip -8.12.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port -8.12.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -8.12.0-dev,true,source,source.port,long,core,,,Port of the source. -8.12.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -8.12.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. -8.12.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev,true,source,source.user.email,keyword,extended,,,User email address. -8.12.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -8.12.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event. -8.12.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event. -8.12.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -8.12.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. -8.12.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -8.12.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating -8.12.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description -8.12.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address -8.12.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -8.12.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -8.12.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -8.12.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -8.12.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -8.12.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -8.12.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. -8.12.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. -8.12.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address -8.12.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. -8.12.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking -8.12.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version -8.12.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. -8.12.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name -8.12.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port -8.12.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider -8.12.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL -8.12.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -8.12.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -8.12.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -8.12.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -8.12.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -8.12.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -8.12.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written. -8.12.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics -8.12.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed -8.12.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator -8.12.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. -8.12.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -8.12.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. -8.12.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -8.12.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -8.12.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -8.12.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -8.12.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request. -8.12.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -8.12.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443." -8.12.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request. -8.12.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -8.12.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url. -8.12.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. -8.12.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -8.12.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. -8.12.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value -8.12.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field -8.12.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier -8.12.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index -8.12.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match -8.12.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match -8.12.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID. -8.12.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed. -8.12.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed. -8.12.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed. -8.12.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -8.12.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. -8.12.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. -8.12.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. -8.12.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. -8.12.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -8.12.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. -8.12.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -8.12.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating -8.12.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description -8.12.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address -8.12.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. -8.12.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -8.12.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -8.12.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -8.12.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -8.12.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -8.12.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -8.12.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -8.12.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -8.12.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -8.12.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -8.12.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time. -8.12.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. -8.12.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. -8.12.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. -8.12.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -8.12.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -8.12.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -8.12.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -8.12.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date. -8.12.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. -8.12.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -8.12.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -8.12.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. -8.12.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. -8.12.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -8.12.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -8.12.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -8.12.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. -8.12.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. -8.12.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -8.12.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. -8.12.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -8.12.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -8.12.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. -8.12.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -8.12.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -8.12.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. -8.12.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -8.12.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -8.12.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. -8.12.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -8.12.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. -8.12.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -8.12.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -8.12.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -8.12.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. -8.12.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -8.12.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. -8.12.0-dev,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -8.12.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash. -8.12.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. -8.12.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. -8.12.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. -8.12.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. -8.12.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -8.12.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. -8.12.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -8.12.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -8.12.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. -8.12.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. -8.12.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -8.12.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. -8.12.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -8.12.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -8.12.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.12.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.12.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.12.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.12.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -8.12.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -8.12.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -8.12.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -8.12.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.12.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -8.12.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. -8.12.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -8.12.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.12.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -8.12.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.12.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. -8.12.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -8.12.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. -8.12.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. -8.12.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -8.12.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -8.12.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. -8.12.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks. -8.12.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. -8.12.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -8.12.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -8.12.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -8.12.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -8.12.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -8.12.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -8.12.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -8.12.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -8.12.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -8.12.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -8.12.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -8.12.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -8.12.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code -8.12.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -8.12.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -8.12.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -8.12.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -8.12.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. -8.12.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. -8.12.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. -8.12.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. -8.12.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. -8.12.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. -8.12.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. -8.12.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -8.12.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -8.12.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. -8.12.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -8.12.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. -8.12.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -8.12.0-dev,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator -8.12.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address -8.12.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. -8.12.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking -8.12.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version -8.12.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. -8.12.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name -8.12.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port -8.12.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider -8.12.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL -8.12.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -8.12.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -8.12.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -8.12.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -8.12.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -8.12.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -8.12.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. -8.12.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics -8.12.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed -8.12.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator -8.12.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. -8.12.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -8.12.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. -8.12.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -8.12.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -8.12.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -8.12.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -8.12.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request. -8.12.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -8.12.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443." -8.12.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request. -8.12.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -8.12.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url. -8.12.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. -8.12.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request. -8.12.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -8.12.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -8.12.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -8.12.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -8.12.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -8.12.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -8.12.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -8.12.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -8.12.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -8.12.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -8.12.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -8.12.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -8.12.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -8.12.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -8.12.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -8.12.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -8.12.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code -8.12.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -8.12.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -8.12.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -8.12.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -8.12.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. -8.12.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software -8.12.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software -8.12.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. -8.12.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. -8.12.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL. -8.12.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type. -8.12.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. -8.12.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. -8.12.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. -8.12.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. -8.12.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. -8.12.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name. -8.12.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. -8.12.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. -8.12.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. -8.12.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name. -8.12.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. -8.12.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -8.12.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -8.12.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. -8.12.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. -8.12.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. -8.12.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -8.12.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -8.12.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -8.12.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -8.12.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -8.12.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -8.12.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -8.12.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. -8.12.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -8.12.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -8.12.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -8.12.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -8.12.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -8.12.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -8.12.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -8.12.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -8.12.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -8.12.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -8.12.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -8.12.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -8.12.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -8.12.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -8.12.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -8.12.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -8.12.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code -8.12.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -8.12.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -8.12.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -8.12.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -8.12.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. -8.12.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." -8.12.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -8.12.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. -8.12.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -8.12.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -8.12.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. -8.12.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. -8.12.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. -8.12.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -8.12.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -8.12.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -8.12.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -8.12.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -8.12.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. -8.12.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -8.12.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -8.12.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -8.12.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -8.12.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -8.12.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -8.12.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -8.12.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -8.12.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -8.12.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -8.12.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -8.12.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -8.12.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -8.12.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -8.12.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -8.12.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -8.12.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code -8.12.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -8.12.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -8.12.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -8.12.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -8.12.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -8.12.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. -8.12.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. -8.12.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. -8.12.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -8.12.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -8.12.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. -8.12.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -8.12.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -8.12.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -8.12.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -8.12.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -8.12.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -8.12.0-dev,true,url,url.password,keyword,extended,,,Password of the request. -8.12.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -8.12.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -8.12.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. -8.12.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -8.12.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -8.12.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. -8.12.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -8.12.0-dev,true,url,url.username,keyword,extended,,,Username of the request. -8.12.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev,true,user,user.changes.email,keyword,extended,,,User email address. -8.12.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev,true,user,user.effective.email,keyword,extended,,,User email address. -8.12.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev,true,user,user.email,keyword,extended,,,User email address. -8.12.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. -8.12.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. -8.12.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. -8.12.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." -8.12.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." -8.12.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -8.12.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -8.12.0-dev,true,user,user.target.email,keyword,extended,,,User email address. -8.12.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -8.12.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. -8.12.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -8.12.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. -8.12.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -8.12.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -8.12.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -8.12.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -8.12.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -8.12.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -8.12.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -8.12.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -8.12.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -8.12.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -8.12.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -8.12.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -8.12.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -8.12.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." -8.12.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -8.12.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." -8.12.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -8.12.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. -8.12.0-dev,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device. -8.12.0-dev,true,volume,volume.default_access,keyword,extended,,,Bus type of the device. -8.12.0-dev,true,volume,volume.device_name,keyword,extended,,,Device name of the volume. -8.12.0-dev,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type. -8.12.0-dev,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device. -8.12.0-dev,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type. -8.12.0-dev,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume. -8.12.0-dev,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device. -8.12.0-dev,true,volume,volume.product_id,keyword,extended,,,ProductID of the device. -8.12.0-dev,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume. -8.12.0-dev,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable. -8.12.0-dev,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device. -8.12.0-dev,true,volume,volume.size,long,extended,,,Size of the volume device in bytes. -8.12.0-dev,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device. -8.12.0-dev,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device. -8.12.0-dev,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable. -8.12.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. -8.12.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. -8.12.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -8.12.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -8.12.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. -8.12.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. -8.12.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -8.12.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. -8.12.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. -8.12.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. -8.12.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. -8.12.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. -8.12.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. -8.12.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +9.0.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +9.0.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +9.0.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer. +9.0.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +9.0.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +9.0.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +9.0.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +9.0.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +9.0.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +9.0.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +9.0.0-dev,true,client,client.address,keyword,extended,,,Client network address. +9.0.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.0.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.0.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.0.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +9.0.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client. +9.0.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev,true,client,client.ip,ip,core,,,IP address of the client. +9.0.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. +9.0.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +9.0.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port +9.0.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +9.0.0-dev,true,client,client.port,long,core,,,Port of the client. +9.0.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +9.0.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +9.0.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev,true,client,client.user.email,keyword,extended,,,User email address. +9.0.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +9.0.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +9.0.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." +9.0.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +9.0.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +9.0.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +9.0.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id. +9.0.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name. +9.0.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." +9.0.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +9.0.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine. +9.0.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +9.0.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id. +9.0.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name. +9.0.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider. +9.0.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." +9.0.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name. +9.0.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +9.0.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +9.0.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +9.0.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." +9.0.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name. +9.0.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id. +9.0.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name. +9.0.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." +9.0.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +9.0.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine. +9.0.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +9.0.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id. +9.0.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name. +9.0.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider. +9.0.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." +9.0.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name. +9.0.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +9.0.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +9.0.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +9.0.0-dev,true,container,container.id,keyword,core,,,Unique container id. +9.0.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on. +9.0.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +9.0.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. +9.0.0-dev,true,container,container.labels,object,extended,,,Image labels. +9.0.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1." +9.0.0-dev,true,container,container.name,keyword,extended,,,Container name. +9.0.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +9.0.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +9.0.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +9.0.0-dev,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode. +9.0.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data. +9.0.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data. +9.0.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream. +9.0.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. +9.0.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.0.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.0.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.0.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +9.0.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination. +9.0.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. +9.0.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. +9.0.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +9.0.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +9.0.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +9.0.0-dev,true,destination,destination.port,long,core,,,Port of the destination. +9.0.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +9.0.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +9.0.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address. +9.0.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device. +9.0.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer. +9.0.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model. +9.0.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model. +9.0.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device +9.0.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.0.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.0.0-dev,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.0.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.0.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.0.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.0.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.0.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.0.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.0.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.0.0-dev,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.0.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +9.0.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +9.0.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +9.0.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash. +9.0.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +9.0.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.0.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash. +9.0.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +9.0.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +9.0.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.0.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.0.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.0.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.0.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.0.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.0.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.0.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.0.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.0.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.0.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file. +9.0.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name. +9.0.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.0.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. +9.0.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +9.0.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. +9.0.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +9.0.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +9.0.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +9.0.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +9.0.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +9.0.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +9.0.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +9.0.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. +9.0.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +9.0.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +9.0.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +9.0.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +9.0.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +9.0.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +9.0.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +9.0.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments. +9.0.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension. +9.0.0-dev,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.0.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash. +9.0.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash. +9.0.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash. +9.0.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash. +9.0.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash. +9.0.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.0.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash. +9.0.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file. +9.0.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file. +9.0.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size. +9.0.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient +9.0.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient +9.0.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message. +9.0.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered. +9.0.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message. +9.0.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address. +9.0.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source. +9.0.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header. +9.0.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed. +9.0.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to. +9.0.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender. +9.0.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message. +9.0.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message. +9.0.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient +9.0.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email. +9.0.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. +9.0.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. +9.0.0-dev,true,error,error.message,match_only_text,core,,,Error message. +9.0.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +9.0.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text. +9.0.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +9.0.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +9.0.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. +9.0.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +9.0.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. +9.0.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +9.0.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +9.0.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +9.0.0-dev,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed. +9.0.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +9.0.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +9.0.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +9.0.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +9.0.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +9.0.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +9.0.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +9.0.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. +9.0.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +9.0.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +9.0.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +9.0.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +9.0.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. +9.0.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. +9.0.0-dev,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed. +9.0.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. +9.0.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +9.0.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +9.0.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function. +9.0.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution. +9.0.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function. +9.0.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function. +9.0.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc." +9.0.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution. +9.0.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function. +9.0.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. +9.0.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +9.0.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.0.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.0.0-dev,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.0.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.0.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.0.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.0.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.0.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.0.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.0.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.0.0-dev,true,file,file.created,date,extended,,,File creation time. +9.0.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +9.0.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +9.0.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. +9.0.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +9.0.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.0.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.0.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.0.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date. +9.0.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types. +9.0.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.0.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.0.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.0.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.0.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.0.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.0.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.0.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.0.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header. +9.0.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.0.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file. +9.0.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.0.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.0.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name. +9.0.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.0.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.0.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type. +9.0.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.0.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.0.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list. +9.0.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.0.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type. +9.0.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.0.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.0.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +9.0.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. +9.0.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +9.0.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +9.0.0-dev,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.0.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +9.0.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +9.0.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +9.0.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash. +9.0.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +9.0.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.0.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash. +9.0.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +9.0.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. +9.0.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. +9.0.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file. +9.0.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name. +9.0.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. +9.0.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. +9.0.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +9.0.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +9.0.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. +9.0.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.0.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. +9.0.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.0.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.0.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.0.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.0.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.0.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.0.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.0.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.0.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.0.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.0.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.0.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.0.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file. +9.0.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name. +9.0.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.0.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. +9.0.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks. +9.0.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks. +9.0.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +9.0.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +9.0.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.0.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.0.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.0.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.0.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.0.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.0.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.0.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.0.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.0.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.0.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.0.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.0.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.0.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.0.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.0.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.0.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.0.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.0.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.0.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.0.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.0.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +9.0.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,group,group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +9.0.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id +9.0.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +9.0.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +9.0.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +9.0.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +9.0.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host. +9.0.0-dev,true,host,host.id,keyword,core,,,Unique host id. +9.0.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. +9.0.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. +9.0.0-dev,true,host,host.name,keyword,core,,,Name of the host. +9.0.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +9.0.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +9.0.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +9.0.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. +9.0.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.0.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.0.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.0.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.0.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.0.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.0.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.0.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.0.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.0.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode +9.0.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.0.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.0.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.0.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.0.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.0.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.0.0-dev,true,host,host.type,keyword,core,,,Type of host. +9.0.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +9.0.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +9.0.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. +9.0.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body. +9.0.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +9.0.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. +9.0.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method. +9.0.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +9.0.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. +9.0.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +9.0.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. +9.0.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body. +9.0.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +9.0.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +9.0.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +9.0.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. +9.0.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +9.0.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. +9.0.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +9.0.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event. +9.0.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +9.0.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +9.0.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata +9.0.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message. +9.0.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +9.0.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +9.0.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message. +9.0.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message. +9.0.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +9.0.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message. +9.0.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +9.0.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +9.0.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages. +9.0.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version. +9.0.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. +9.0.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +9.0.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +9.0.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +9.0.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +9.0.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +9.0.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information +9.0.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.0.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.0.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +9.0.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +9.0.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name. +9.0.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +9.0.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +9.0.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.0.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.0.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information +9.0.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +9.0.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +9.0.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +9.0.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.0.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.0.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +9.0.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +9.0.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information +9.0.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +9.0.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +9.0.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +9.0.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.0.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.0.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +9.0.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +9.0.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer. +9.0.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +9.0.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.0.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.0.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.0.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.0.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.0.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.0.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.0.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.0.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.0.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +9.0.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +9.0.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +9.0.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +9.0.0-dev,true,observer,observer.version,keyword,core,,,Observer version. +9.0.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action +9.0.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster. +9.0.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster. +9.0.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster. +9.0.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster. +9.0.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place. +9.0.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups). +9.0.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource. +9.0.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon. +9.0.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed. +9.0.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource. +9.0.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon. +9.0.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed. +9.0.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon. +9.0.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)." +9.0.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +9.0.0-dev,true,organization,organization.name,keyword,extended,,,Organization name. +9.0.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name. +9.0.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +9.0.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +9.0.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +9.0.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +9.0.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +9.0.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. +9.0.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +9.0.0-dev,true,package,package.name,keyword,extended,,go,Package name +9.0.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +9.0.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +9.0.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. +9.0.0-dev,true,package,package.type,keyword,extended,,rpm,Package type +9.0.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version +9.0.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.0.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. +9.0.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.0.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.0.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.0.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.0.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.0.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.0.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.0.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.0.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.0.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.0.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.0.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.0.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.0.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date. +9.0.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types. +9.0.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.0.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.0.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.0.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.0.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.0.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.0.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.0.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.0.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header. +9.0.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.0.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file. +9.0.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.0.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.0.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name. +9.0.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.0.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.0.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type. +9.0.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.0.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.0.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list. +9.0.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.0.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type. +9.0.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.0.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.0.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. +9.0.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.0.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array. +9.0.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source. +9.0.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader. +9.0.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.0.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name. +9.0.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name. +9.0.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id. +9.0.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id. +9.0.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. +9.0.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id. +9.0.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id. +9.0.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. +9.0.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device. +9.0.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.0.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.0.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id. +9.0.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.0.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.0.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings. +9.0.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. +9.0.0-dev,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.0.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array. +9.0.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.0.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name. +9.0.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name. +9.0.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id. +9.0.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. +9.0.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device. +9.0.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.0.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.0.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id. +9.0.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.0.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.0.0-dev,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.0.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +9.0.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +9.0.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +9.0.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash. +9.0.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +9.0.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.0.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash. +9.0.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.0.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process. +9.0.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped. +9.0.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped. +9.0.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped. +9.0.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting." +9.0.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8. +9.0.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event. +9.0.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. +9.0.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken. +9.0.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. +9.0.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. +9.0.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file. +9.0.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name. +9.0.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. +9.0.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. +9.0.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. +9.0.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name. +9.0.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.0.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +9.0.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.0.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.0.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.0.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.0.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.0.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.0.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.0.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.0.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.0.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.0.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.0.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.0.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.0.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date. +9.0.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types. +9.0.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.0.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.0.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.0.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.0.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.0.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.0.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.0.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.0.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header. +9.0.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.0.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file. +9.0.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.0.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.0.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name. +9.0.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.0.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.0.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type. +9.0.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.0.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.0.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list. +9.0.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.0.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type. +9.0.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.0.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.0.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. +9.0.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +9.0.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id. +9.0.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id. +9.0.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.0.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +9.0.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +9.0.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +9.0.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash. +9.0.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +9.0.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.0.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash. +9.0.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.0.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. +9.0.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. +9.0.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file. +9.0.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name. +9.0.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. +9.0.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. +9.0.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name. +9.0.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name. +9.0.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.0.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.0.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.0.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.0.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.0.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.0.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.0.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.0.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.0.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.0.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file. +9.0.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name. +9.0.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.0.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to. +9.0.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. +9.0.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. +9.0.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. +9.0.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +9.0.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. +9.0.0-dev,true,process,process.parent.title,keyword,extended,,,Process title. +9.0.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title. +9.0.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device. +9.0.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.0.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.0.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +9.0.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id. +9.0.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.0.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.0.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.0.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.0.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.0.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.0.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.0.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.0.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.0.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.0.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.0.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.0.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file. +9.0.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name. +9.0.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.0.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to. +9.0.0-dev,true,process,process.pid,long,core,,4242,Process id. +9.0.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.0.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array. +9.0.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.0.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array. +9.0.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.0.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.0.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.0.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name. +9.0.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name. +9.0.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id. +9.0.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.0.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id. +9.0.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. +9.0.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id. +9.0.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id. +9.0.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. +9.0.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device. +9.0.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.0.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.0.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id. +9.0.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.0.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.0.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.0.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. +9.0.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. +9.0.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. +9.0.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. +9.0.0-dev,true,process,process.title,keyword,extended,,,Process title. +9.0.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title. +9.0.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device. +9.0.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.0.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.0.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width +9.0.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height +9.0.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +9.0.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id. +9.0.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.0.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.0.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +9.0.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +9.0.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +9.0.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +9.0.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +9.0.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +9.0.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +9.0.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +9.0.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +9.0.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +9.0.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event. +9.0.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +9.0.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +9.0.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +9.0.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID +9.0.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +9.0.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +9.0.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +9.0.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +9.0.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +9.0.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version +9.0.0-dev,true,server,server.address,keyword,extended,,,Server network address. +9.0.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.0.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.0.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.0.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +9.0.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server. +9.0.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev,true,server,server.ip,ip,core,,,IP address of the server. +9.0.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. +9.0.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip +9.0.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port +9.0.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +9.0.0-dev,true,server,server.port,long,core,,,Port of the server. +9.0.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +9.0.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +9.0.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev,true,server,server.user.email,keyword,extended,,,User email address. +9.0.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service. +9.0.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service. +9.0.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +9.0.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +9.0.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +9.0.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +9.0.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. +9.0.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. +9.0.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service. +9.0.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service. +9.0.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +9.0.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +9.0.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service. +9.0.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node. +9.0.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. +9.0.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. +9.0.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service. +9.0.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service. +9.0.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service. +9.0.0-dev,true,service,service.state,keyword,core,,,Current state of the service. +9.0.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service. +9.0.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service. +9.0.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +9.0.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +9.0.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service. +9.0.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node. +9.0.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. +9.0.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. +9.0.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service. +9.0.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service. +9.0.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service. +9.0.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +9.0.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. +9.0.0-dev,true,source,source.address,keyword,extended,,,Source network address. +9.0.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.0.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.0.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.0.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +9.0.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source. +9.0.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev,true,source,source.ip,ip,core,,,IP address of the source. +9.0.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. +9.0.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip +9.0.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port +9.0.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +9.0.0-dev,true,source,source.port,long,core,,,Port of the source. +9.0.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +9.0.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +9.0.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev,true,source,source.user.email,keyword,extended,,,User email address. +9.0.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +9.0.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event. +9.0.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event. +9.0.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.0.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.0.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.0.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating +9.0.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +9.0.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +9.0.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +9.0.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +9.0.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.0.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.0.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +9.0.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.0.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. +9.0.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +9.0.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +9.0.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +9.0.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking +9.0.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version +9.0.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +9.0.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name +9.0.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port +9.0.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +9.0.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +9.0.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +9.0.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +9.0.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +9.0.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +9.0.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +9.0.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +9.0.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written. +9.0.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics +9.0.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed +9.0.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +9.0.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. +9.0.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +9.0.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +9.0.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.0.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.0.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.0.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.0.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request. +9.0.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +9.0.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +9.0.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request. +9.0.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +9.0.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +9.0.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +9.0.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.0.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. +9.0.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value +9.0.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field +9.0.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier +9.0.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index +9.0.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match +9.0.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match +9.0.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID. +9.0.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed. +9.0.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed. +9.0.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed. +9.0.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +9.0.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. +9.0.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. +9.0.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. +9.0.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. +9.0.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.0.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.0.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.0.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating +9.0.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +9.0.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +9.0.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. +9.0.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +9.0.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.0.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.0.0-dev,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.0.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.0.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.0.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.0.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.0.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.0.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.0.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.0.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time. +9.0.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +9.0.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +9.0.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. +9.0.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +9.0.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.0.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.0.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.0.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +9.0.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +9.0.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.0.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.0.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.0.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.0.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.0.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.0.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.0.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.0.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +9.0.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.0.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +9.0.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.0.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.0.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +9.0.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.0.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.0.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +9.0.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.0.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.0.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +9.0.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.0.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +9.0.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.0.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.0.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +9.0.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. +9.0.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +9.0.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +9.0.0-dev,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.0.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash. +9.0.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. +9.0.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. +9.0.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. +9.0.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. +9.0.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.0.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. +9.0.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +9.0.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +9.0.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +9.0.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. +9.0.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.0.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. +9.0.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.0.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.0.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.0.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.0.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.0.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.0.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.0.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.0.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.0.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.0.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.0.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.0.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. +9.0.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.0.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.0.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.0.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.0.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. +9.0.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.0.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. +9.0.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.0.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.0.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.0.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. +9.0.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks. +9.0.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. +9.0.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +9.0.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +9.0.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.0.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.0.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.0.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.0.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.0.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.0.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.0.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.0.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.0.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.0.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.0.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.0.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.0.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.0.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. +9.0.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +9.0.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. +9.0.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. +9.0.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +9.0.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.0.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. +9.0.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.0.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.0.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. +9.0.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.0.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. +9.0.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.0.0-dev,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator +9.0.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +9.0.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +9.0.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking +9.0.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version +9.0.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +9.0.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name +9.0.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port +9.0.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +9.0.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +9.0.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +9.0.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +9.0.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +9.0.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +9.0.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +9.0.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +9.0.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. +9.0.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics +9.0.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed +9.0.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +9.0.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. +9.0.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +9.0.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +9.0.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.0.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.0.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.0.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.0.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request. +9.0.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +9.0.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +9.0.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request. +9.0.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +9.0.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +9.0.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +9.0.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request. +9.0.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.0.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.0.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.0.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.0.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.0.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.0.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.0.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.0.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.0.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.0.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.0.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.0.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.0.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.0.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.0.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.0.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.0.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.0.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.0.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.0.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.0.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. +9.0.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software +9.0.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software +9.0.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. +9.0.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. +9.0.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL. +9.0.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type. +9.0.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +9.0.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +9.0.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +9.0.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +9.0.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +9.0.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name. +9.0.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +9.0.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +9.0.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +9.0.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name. +9.0.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +9.0.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +9.0.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +9.0.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +9.0.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +9.0.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +9.0.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +9.0.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +9.0.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +9.0.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +9.0.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +9.0.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +9.0.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +9.0.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +9.0.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.0.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.0.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.0.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.0.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.0.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.0.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.0.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.0.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.0.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.0.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.0.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.0.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.0.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.0.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.0.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.0.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.0.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.0.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.0.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.0.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.0.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +9.0.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +9.0.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +9.0.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +9.0.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +9.0.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +9.0.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +9.0.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +9.0.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +9.0.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +9.0.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +9.0.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +9.0.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +9.0.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +9.0.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +9.0.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.0.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.0.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.0.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.0.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.0.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.0.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.0.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.0.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.0.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.0.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.0.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.0.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.0.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.0.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.0.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.0.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.0.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.0.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.0.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.0.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.0.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.0.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +9.0.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +9.0.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +9.0.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +9.0.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +9.0.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. +9.0.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +9.0.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +9.0.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.0.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.0.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.0.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.0.0-dev,true,url,url.password,keyword,extended,,,Password of the request. +9.0.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +9.0.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +9.0.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. +9.0.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +9.0.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +9.0.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +9.0.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.0.0-dev,true,url,url.username,keyword,extended,,,Username of the request. +9.0.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev,true,user,user.changes.email,keyword,extended,,,User email address. +9.0.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev,true,user,user.effective.email,keyword,extended,,,User email address. +9.0.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev,true,user,user.email,keyword,extended,,,User email address. +9.0.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.0.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.0.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.0.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.0.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.0.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.0.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +9.0.0-dev,true,user,user.target.email,keyword,extended,,,User email address. +9.0.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.0.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.0.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.0.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. +9.0.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.0.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.0.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.0.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.0.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +9.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +9.0.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +9.0.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +9.0.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.0.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.0.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.0.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.0.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.0.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.0.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.0.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.0.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.0.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +9.0.0-dev,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device. +9.0.0-dev,true,volume,volume.default_access,keyword,extended,,,Bus type of the device. +9.0.0-dev,true,volume,volume.device_name,keyword,extended,,,Device name of the volume. +9.0.0-dev,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type. +9.0.0-dev,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device. +9.0.0-dev,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type. +9.0.0-dev,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume. +9.0.0-dev,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device. +9.0.0-dev,true,volume,volume.product_id,keyword,extended,,,ProductID of the device. +9.0.0-dev,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume. +9.0.0-dev,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable. +9.0.0-dev,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device. +9.0.0-dev,true,volume,volume.size,long,extended,,,Size of the volume device in bytes. +9.0.0-dev,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device. +9.0.0-dev,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device. +9.0.0-dev,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable. +9.0.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +9.0.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +9.0.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +9.0.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +9.0.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +9.0.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +9.0.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +9.0.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +9.0.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +9.0.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +9.0.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +9.0.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +9.0.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +9.0.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/generated/elasticsearch/composable/component/agent.json b/generated/elasticsearch/composable/component/agent.json index 50480c9cbb..7f17383fbb 100644 --- a/generated/elasticsearch/composable/component/agent.json +++ b/generated/elasticsearch/composable/component/agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/base.json b/generated/elasticsearch/composable/component/base.json index 4f23f82647..624a1d6c97 100644 --- a/generated/elasticsearch/composable/component/base.json +++ b/generated/elasticsearch/composable/component/base.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json index 12ad20b7eb..4cbfa854af 100644 --- a/generated/elasticsearch/composable/component/client.json +++ b/generated/elasticsearch/composable/component/client.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json index a8a8b153ce..51d4fee30e 100644 --- a/generated/elasticsearch/composable/component/cloud.json +++ b/generated/elasticsearch/composable/component/cloud.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/container.json b/generated/elasticsearch/composable/component/container.json index c7312c0590..4faf35f06d 100644 --- a/generated/elasticsearch/composable/component/container.json +++ b/generated/elasticsearch/composable/component/container.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/data_stream.json b/generated/elasticsearch/composable/component/data_stream.json index e651fedd50..c40f2d272c 100644 --- a/generated/elasticsearch/composable/component/data_stream.json +++ b/generated/elasticsearch/composable/component/data_stream.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json index 590ee3e5a5..730525eb7d 100644 --- a/generated/elasticsearch/composable/component/destination.json +++ b/generated/elasticsearch/composable/component/destination.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/device.json b/generated/elasticsearch/composable/component/device.json index 741cf82323..337d0743ea 100644 --- a/generated/elasticsearch/composable/component/device.json +++ b/generated/elasticsearch/composable/component/device.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json index 7c76d1ed0d..5c670260ab 100644 --- a/generated/elasticsearch/composable/component/dll.json +++ b/generated/elasticsearch/composable/component/dll.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/dns.json b/generated/elasticsearch/composable/component/dns.json index 06ca50ac7f..45b9ec4cfa 100644 --- a/generated/elasticsearch/composable/component/dns.json +++ b/generated/elasticsearch/composable/component/dns.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/ecs.json b/generated/elasticsearch/composable/component/ecs.json index 083fc546bd..38df701cbf 100644 --- a/generated/elasticsearch/composable/component/ecs.json +++ b/generated/elasticsearch/composable/component/ecs.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/email.json b/generated/elasticsearch/composable/component/email.json index 4046e33558..f33c03d837 100644 --- a/generated/elasticsearch/composable/component/email.json +++ b/generated/elasticsearch/composable/component/email.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/error.json b/generated/elasticsearch/composable/component/error.json index 826c6bac1a..7093c10d23 100644 --- a/generated/elasticsearch/composable/component/error.json +++ b/generated/elasticsearch/composable/component/error.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/event.json b/generated/elasticsearch/composable/component/event.json index 7ae691519c..7c2b5ea678 100644 --- a/generated/elasticsearch/composable/component/event.json +++ b/generated/elasticsearch/composable/component/event.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/faas.json b/generated/elasticsearch/composable/component/faas.json index 4f54d3e060..b8c16712d2 100644 --- a/generated/elasticsearch/composable/component/faas.json +++ b/generated/elasticsearch/composable/component/faas.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json index c032c0a53c..297ac13916 100644 --- a/generated/elasticsearch/composable/component/file.json +++ b/generated/elasticsearch/composable/component/file.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/group.json b/generated/elasticsearch/composable/component/group.json index c7e37d2323..a291ac1005 100644 --- a/generated/elasticsearch/composable/component/group.json +++ b/generated/elasticsearch/composable/component/group.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json index a955778bfe..ae079eb1b0 100644 --- a/generated/elasticsearch/composable/component/host.json +++ b/generated/elasticsearch/composable/component/host.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/http.json b/generated/elasticsearch/composable/component/http.json index 9d209b4a3a..1ed457a5aa 100644 --- a/generated/elasticsearch/composable/component/http.json +++ b/generated/elasticsearch/composable/component/http.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/log.json b/generated/elasticsearch/composable/component/log.json index 9703a4b497..aa8a9b2bec 100644 --- a/generated/elasticsearch/composable/component/log.json +++ b/generated/elasticsearch/composable/component/log.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/network.json b/generated/elasticsearch/composable/component/network.json index 1725824f84..8c09be1804 100644 --- a/generated/elasticsearch/composable/component/network.json +++ b/generated/elasticsearch/composable/component/network.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/observer.json b/generated/elasticsearch/composable/component/observer.json index 99008f11a8..d31b163fd1 100644 --- a/generated/elasticsearch/composable/component/observer.json +++ b/generated/elasticsearch/composable/component/observer.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/orchestrator.json b/generated/elasticsearch/composable/component/orchestrator.json index 53a1bd6b89..9e72bdfa93 100644 --- a/generated/elasticsearch/composable/component/orchestrator.json +++ b/generated/elasticsearch/composable/component/orchestrator.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/organization.json b/generated/elasticsearch/composable/component/organization.json index 56762f3de6..8730348984 100644 --- a/generated/elasticsearch/composable/component/organization.json +++ b/generated/elasticsearch/composable/component/organization.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/package.json b/generated/elasticsearch/composable/component/package.json index 6376f5b53f..bdaa12d928 100644 --- a/generated/elasticsearch/composable/component/package.json +++ b/generated/elasticsearch/composable/component/package.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json index d48a4eddab..81c4c03846 100644 --- a/generated/elasticsearch/composable/component/process.json +++ b/generated/elasticsearch/composable/component/process.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/registry.json b/generated/elasticsearch/composable/component/registry.json index 3856c6e3cb..b8a73bd78b 100644 --- a/generated/elasticsearch/composable/component/registry.json +++ b/generated/elasticsearch/composable/component/registry.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/related.json b/generated/elasticsearch/composable/component/related.json index cac093b662..6b487f6c68 100644 --- a/generated/elasticsearch/composable/component/related.json +++ b/generated/elasticsearch/composable/component/related.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/rule.json b/generated/elasticsearch/composable/component/rule.json index a3694fd784..12adf9ef56 100644 --- a/generated/elasticsearch/composable/component/rule.json +++ b/generated/elasticsearch/composable/component/rule.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json index e8978c26ff..39fdfda05f 100644 --- a/generated/elasticsearch/composable/component/server.json +++ b/generated/elasticsearch/composable/component/server.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json index 17648ead56..b9da4f32d1 100644 --- a/generated/elasticsearch/composable/component/service.json +++ b/generated/elasticsearch/composable/component/service.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json index 0555f13234..7349d597b9 100644 --- a/generated/elasticsearch/composable/component/source.json +++ b/generated/elasticsearch/composable/component/source.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json index 40f98ec195..963682a592 100644 --- a/generated/elasticsearch/composable/component/threat.json +++ b/generated/elasticsearch/composable/component/threat.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/tls.json b/generated/elasticsearch/composable/component/tls.json index f3f26026cf..2bfd41ff15 100644 --- a/generated/elasticsearch/composable/component/tls.json +++ b/generated/elasticsearch/composable/component/tls.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/tracing.json b/generated/elasticsearch/composable/component/tracing.json index 250aa8ed1e..38b9537b3f 100644 --- a/generated/elasticsearch/composable/component/tracing.json +++ b/generated/elasticsearch/composable/component/tracing.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/url.json b/generated/elasticsearch/composable/component/url.json index c14680686d..aa88348959 100644 --- a/generated/elasticsearch/composable/component/url.json +++ b/generated/elasticsearch/composable/component/url.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json index a98f31729b..5b657805c6 100644 --- a/generated/elasticsearch/composable/component/user.json +++ b/generated/elasticsearch/composable/component/user.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/user_agent.json b/generated/elasticsearch/composable/component/user_agent.json index 9ab60f9068..cd15db5f42 100644 --- a/generated/elasticsearch/composable/component/user_agent.json +++ b/generated/elasticsearch/composable/component/user_agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/volume.json b/generated/elasticsearch/composable/component/volume.json index b83bf621eb..76e7568b17 100644 --- a/generated/elasticsearch/composable/component/volume.json +++ b/generated/elasticsearch/composable/component/volume.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-volume.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/vulnerability.json b/generated/elasticsearch/composable/component/vulnerability.json index 58f2df9bb6..43db4e229c 100644 --- a/generated/elasticsearch/composable/component/vulnerability.json +++ b/generated/elasticsearch/composable/component/vulnerability.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json index 1a16f6ab83..f3f690bd4a 100644 --- a/generated/elasticsearch/composable/template.json +++ b/generated/elasticsearch/composable/template.json @@ -1,49 +1,49 @@ { "_meta": { "description": "Sample composable template that includes all ECS fields", - "ecs_version": "8.12.0-dev" + "ecs_version": "9.0.0-dev" }, "composed_of": [ - "ecs_8.12.0-dev_base", - "ecs_8.12.0-dev_agent", - "ecs_8.12.0-dev_client", - "ecs_8.12.0-dev_cloud", - "ecs_8.12.0-dev_container", - "ecs_8.12.0-dev_data_stream", - "ecs_8.12.0-dev_destination", - "ecs_8.12.0-dev_device", - "ecs_8.12.0-dev_dll", - "ecs_8.12.0-dev_dns", - "ecs_8.12.0-dev_ecs", - "ecs_8.12.0-dev_email", - "ecs_8.12.0-dev_error", - "ecs_8.12.0-dev_event", - "ecs_8.12.0-dev_faas", - "ecs_8.12.0-dev_file", - "ecs_8.12.0-dev_group", - "ecs_8.12.0-dev_host", - "ecs_8.12.0-dev_http", - "ecs_8.12.0-dev_log", - "ecs_8.12.0-dev_network", - "ecs_8.12.0-dev_observer", - "ecs_8.12.0-dev_orchestrator", - "ecs_8.12.0-dev_organization", - "ecs_8.12.0-dev_package", - "ecs_8.12.0-dev_process", - "ecs_8.12.0-dev_registry", - "ecs_8.12.0-dev_related", - "ecs_8.12.0-dev_rule", - "ecs_8.12.0-dev_server", - "ecs_8.12.0-dev_service", - "ecs_8.12.0-dev_source", - "ecs_8.12.0-dev_threat", - "ecs_8.12.0-dev_tls", - "ecs_8.12.0-dev_tracing", - "ecs_8.12.0-dev_url", - "ecs_8.12.0-dev_user_agent", - "ecs_8.12.0-dev_user", - "ecs_8.12.0-dev_volume", - "ecs_8.12.0-dev_vulnerability" + "ecs_9.0.0-dev_base", + "ecs_9.0.0-dev_agent", + "ecs_9.0.0-dev_client", + "ecs_9.0.0-dev_cloud", + "ecs_9.0.0-dev_container", + "ecs_9.0.0-dev_data_stream", + "ecs_9.0.0-dev_destination", + "ecs_9.0.0-dev_device", + "ecs_9.0.0-dev_dll", + "ecs_9.0.0-dev_dns", + "ecs_9.0.0-dev_ecs", + "ecs_9.0.0-dev_email", + "ecs_9.0.0-dev_error", + "ecs_9.0.0-dev_event", + "ecs_9.0.0-dev_faas", + "ecs_9.0.0-dev_file", + "ecs_9.0.0-dev_group", + "ecs_9.0.0-dev_host", + "ecs_9.0.0-dev_http", + "ecs_9.0.0-dev_log", + "ecs_9.0.0-dev_network", + "ecs_9.0.0-dev_observer", + "ecs_9.0.0-dev_orchestrator", + "ecs_9.0.0-dev_organization", + "ecs_9.0.0-dev_package", + "ecs_9.0.0-dev_process", + "ecs_9.0.0-dev_registry", + "ecs_9.0.0-dev_related", + "ecs_9.0.0-dev_rule", + "ecs_9.0.0-dev_server", + "ecs_9.0.0-dev_service", + "ecs_9.0.0-dev_source", + "ecs_9.0.0-dev_threat", + "ecs_9.0.0-dev_tls", + "ecs_9.0.0-dev_tracing", + "ecs_9.0.0-dev_url", + "ecs_9.0.0-dev_user_agent", + "ecs_9.0.0-dev_user", + "ecs_9.0.0-dev_volume", + "ecs_9.0.0-dev_vulnerability" ], "index_patterns": [ "try-ecs-*" diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index 66b302cebd..1a8d14b60e 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -4,7 +4,7 @@ ], "mappings": { "_meta": { - "version": "8.12.0-dev" + "version": "9.0.0-dev" }, "date_detection": false, "dynamic_templates": [ diff --git a/version b/version index b659a6eb73..f6c8661fed 100644 --- a/version +++ b/version @@ -1 +1 @@ -8.12.0-dev +9.0.0-dev