From 2cf3642e527d248bc866255326730c39f77cb2c2 Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Wed, 29 Jan 2025 11:00:46 -0800 Subject: [PATCH 01/12] Prepare changelog for 8.17 release (#2437) --- CHANGELOG.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 69c807403c..073e44a3fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,19 @@ # CHANGELOG All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/). +## [8.17.0](https://github.com/elastic/ecs/compare/v8.16.0...v8.17.0) + +### Schema Changes + +#### Bugfixes + +* Fix link rendering issues and usage of http in links. #2423 + +#### Improvements + +* Increase ignore_above value for url.query. #2424 +* Set synthetic_source_keep = none on fields that represent sets. #2422 + ## [8.16.0](https://github.com/elastic/ecs/compare/v8.11.0...v8.16.0) ### Schema Changes From a086bdd5efc8b5e488dc40d5297452db1632c7f4 Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Sat, 1 Feb 2025 02:31:32 +0100 Subject: [PATCH 02/12] github-action: Add AsciiDoc freeze warning (#2432) github-action: Add AsciiDoc freeze warning --- .../workflows/comment-on-asciidoc-changes.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/comment-on-asciidoc-changes.yml diff --git a/.github/workflows/comment-on-asciidoc-changes.yml b/.github/workflows/comment-on-asciidoc-changes.yml new file mode 100644 index 0000000000..8e5f836b14 --- /dev/null +++ b/.github/workflows/comment-on-asciidoc-changes.yml @@ -0,0 +1,21 @@ +--- +name: Comment on PR for .asciidoc changes + +on: + # We need to use pull_request_target to be able to comment on PRs from forks + pull_request_target: + types: + - synchronize + - opened + - reopened + branches: + - main + - master + - "9.0" + +jobs: + comment-on-asciidoc-change: + permissions: + contents: read + pull-requests: write + uses: elastic/docs-builder/.github/workflows/comment-on-asciidoc-changes.yml@main From 9ed51098b0dff9c4c897fc328b8c39eff20b46e3 Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Mon, 3 Feb 2025 21:48:53 +0900 Subject: [PATCH 03/12] [RFC] Stage 1: Introducing new fields in file/dll/process fields (#2395) * Update 0048-fileorigin-fields.md * Create file.yml * Create process.yml * Update file.yml * Create dll.yml * Update process.yml * Update file.yml * Update dll.yml * Update 0048-fileorigin-fields.md * Update 0048-fileorigin-fields.md * Update 0048-fileorigin-fields.md * Update dll.yml * Update file.yml * Update process.yml --- rfcs/text/0048-fileorigin-fields.md | 28 +++++++++++++++++----------- rfcs/text/0048/dll.yml | 27 +++++++++++++++++++++++++++ rfcs/text/0048/file.yml | 25 +++++++++++++++++++++++++ rfcs/text/0048/process.yml | 25 +++++++++++++++++++++++++ 4 files changed, 94 insertions(+), 11 deletions(-) create mode 100644 rfcs/text/0048/dll.yml create mode 100644 rfcs/text/0048/file.yml create mode 100644 rfcs/text/0048/process.yml diff --git a/rfcs/text/0048-fileorigin-fields.md b/rfcs/text/0048-fileorigin-fields.md index 85622991b7..4df7c5ef7f 100644 --- a/rfcs/text/0048-fileorigin-fields.md +++ b/rfcs/text/0048-fileorigin-fields.md @@ -1,8 +1,8 @@ # 0048: File Origin Fields -- Stage: **0 (strawperson)** -- Date: **2024-10-15** +- Stage: **1 (Draft)** +- Date: **2024-XX-XX** +* File + * A file open event may be generated when a file is opened. By including the file's origin information in the event, the system can assess whether the file might be malware downloaded from a malicious website based on those URLs. +* Process + * Generally, a process is generated from an executable file. However, there's a possibility that the executable file originating the process could be malware. To enhance security, we aim to include the executable file’s origin information at the process creation event and use the origin URL to help determine if the file is malicious. +* DLL + * A process may load DLLs (libraries) as needed. However, there are cases where a malicious DLL prepared by an attacker might be loaded. To enhance security, we would like to check whether the loaded DLL was downloaded from the internet and, if so, where it was downloaded from. This information can help in determining whether the loaded DLL is malicious. + ## Source data +Example sources of data is shown in the above. + @@ -135,7 +141,7 @@ e.g.: -* Stage 0: https://github.com/elastic/ecs/pull/2387 +* Stage 1: https://github.com/elastic/ecs/pull/2395 #### Breaking changes +* Remove deprecated fields from previous major release; `process.pgid`, `service.node.role`, and inherited users. #2410 + #### Bugfixes * Fix link rendering issues and usage of http in links. #2423 diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index 987b7b6393..fee551b9ad 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -8624,24 +8624,6 @@ Multi-fields: example: `ssh` -| extended - -// =============================================================== - -| -[[field-process-pgid]] -<> - -a| Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - -Identifier of the group of processes the process belongs to. - -type: long - - - - - | extended // =============================================================== diff --git a/docs/opentelemetry/otel-mapping-summary.asciidoc b/docs/opentelemetry/otel-mapping-summary.asciidoc index 6083c4861a..342601e1b7 100644 --- a/docs/opentelemetry/otel-mapping-summary.asciidoc +++ b/docs/opentelemetry/otel-mapping-summary.asciidoc @@ -815,7 +815,7 @@ h| Namespace | Process -^| <> +^| <> ^| https://opentelemetry.io/docs/specs/semconv/attributes-registry/process[33] ^| 15 ^| 2 diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index fdb929ed56..fd704c9e3b 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -6897,15 +6897,6 @@ format: string description: PE Section List virtual size. This is always the same as `physical_size`. default_field: false - - name: parent.pgid - level: extended - type: long - format: string - description: 'Deprecated for removal in next major version release. This field - is superseded by `process.group_leader.pid`. - - Identifier of the group of processes the process belongs to.' - default_field: false - name: parent.pid level: core type: long @@ -7269,14 +7260,6 @@ format: string description: PE Section List virtual size. This is always the same as `physical_size`. default_field: false - - name: pgid - level: extended - type: long - format: string - description: 'Deprecated for removal in next major version release. This field - is superseded by `process.group_leader.pid`. - - Identifier of the group of processes the process belongs to.' - name: pid level: core type: long diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 2f73b45091..a851e99808 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -884,7 +884,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.0.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size. 9.0.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. 9.0.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to. 9.0.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. 9.0.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 9.0.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group. @@ -938,7 +937,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.0.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size. 9.0.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. 9.0.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev+exp,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to. 9.0.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. 9.0.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 9.0.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 1e98a4f605..232ace1ad6 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -11631,20 +11631,6 @@ process.parent.pe.sections.virtual_size: original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long -process.parent.pgid: - dashed_name: process-parent-pgid - description: 'Deprecated for removal in next major version release. This field is - superseded by `process.group_leader.pid`. - - Identifier of the group of processes the process belongs to.' - flat_name: process.parent.pgid - format: string - level: extended - name: pgid - normalize: [] - original_fieldset: process - short: Deprecated identifier of the group of processes the process belongs to. - type: long process.parent.pid: dashed_name: process-parent-pid description: Process id. @@ -12260,19 +12246,6 @@ process.pe.sections.virtual_size: original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long -process.pgid: - dashed_name: process-pgid - description: 'Deprecated for removal in next major version release. This field is - superseded by `process.group_leader.pid`. - - Identifier of the group of processes the process belongs to.' - flat_name: process.pgid - format: string - level: extended - name: pgid - normalize: [] - short: Deprecated identifier of the group of processes the process belongs to. - type: long process.pid: dashed_name: process-pid description: Process id. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index df0c77cd0a..a6331615c2 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -13917,20 +13917,6 @@ process: original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long - process.parent.pgid: - dashed_name: process-parent-pgid - description: 'Deprecated for removal in next major version release. This field - is superseded by `process.group_leader.pid`. - - Identifier of the group of processes the process belongs to.' - flat_name: process.parent.pgid - format: string - level: extended - name: pgid - normalize: [] - original_fieldset: process - short: Deprecated identifier of the group of processes the process belongs to. - type: long process.parent.pid: dashed_name: process-parent-pid description: Process id. @@ -14547,19 +14533,6 @@ process: original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long - process.pgid: - dashed_name: process-pgid - description: 'Deprecated for removal in next major version release. This field - is superseded by `process.group_leader.pid`. - - Identifier of the group of processes the process belongs to.' - flat_name: process.pgid - format: string - level: extended - name: pgid - normalize: [] - short: Deprecated identifier of the group of processes the process belongs to. - type: long process.pid: dashed_name: process-pid description: Process id. diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json index 5a5f6d40ba..0661c41320 100644 --- a/experimental/generated/elasticsearch/composable/component/process.json +++ b/experimental/generated/elasticsearch/composable/component/process.json @@ -1258,9 +1258,6 @@ } } }, - "pgid": { - "type": "long" - }, "pid": { "type": "long" }, @@ -1506,9 +1503,6 @@ } } }, - "pgid": { - "type": "long" - }, "pid": { "type": "long" }, diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index b2ef1132e6..fdf0899b3c 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -4020,9 +4020,6 @@ } } }, - "pgid": { - "type": "long" - }, "pid": { "type": "long" }, @@ -4268,9 +4265,6 @@ } } }, - "pgid": { - "type": "long" - }, "pid": { "type": "long" }, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 39573cbf0d..9c72e1d110 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -6847,15 +6847,6 @@ format: string description: PE Section List virtual size. This is always the same as `physical_size`. default_field: false - - name: parent.pgid - level: extended - type: long - format: string - description: 'Deprecated for removal in next major version release. This field - is superseded by `process.group_leader.pid`. - - Identifier of the group of processes the process belongs to.' - default_field: false - name: parent.pid level: core type: long @@ -7219,14 +7210,6 @@ format: string description: PE Section List virtual size. This is always the same as `physical_size`. default_field: false - - name: pgid - level: extended - type: long - format: string - description: 'Deprecated for removal in next major version release. This field - is superseded by `process.group_leader.pid`. - - Identifier of the group of processes the process belongs to.' - name: pid level: core type: long diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 177908f017..e88f3df281 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -877,7 +877,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.0.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size. 9.0.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. 9.0.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to. 9.0.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. 9.0.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 9.0.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group. @@ -931,7 +930,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.0.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size. 9.0.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. 9.0.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to. 9.0.0-dev,true,process,process.pid,long,core,,4242,Process id. 9.0.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 9.0.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 1efa3181de..678a7c0a84 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -11562,20 +11562,6 @@ process.parent.pe.sections.virtual_size: original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long -process.parent.pgid: - dashed_name: process-parent-pgid - description: 'Deprecated for removal in next major version release. This field is - superseded by `process.group_leader.pid`. - - Identifier of the group of processes the process belongs to.' - flat_name: process.parent.pgid - format: string - level: extended - name: pgid - normalize: [] - original_fieldset: process - short: Deprecated identifier of the group of processes the process belongs to. - type: long process.parent.pid: dashed_name: process-parent-pid description: Process id. @@ -12191,19 +12177,6 @@ process.pe.sections.virtual_size: original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long -process.pgid: - dashed_name: process-pgid - description: 'Deprecated for removal in next major version release. This field is - superseded by `process.group_leader.pid`. - - Identifier of the group of processes the process belongs to.' - flat_name: process.pgid - format: string - level: extended - name: pgid - normalize: [] - short: Deprecated identifier of the group of processes the process belongs to. - type: long process.pid: dashed_name: process-pid description: Process id. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index b202b8f4a1..cc958b9e02 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -13837,20 +13837,6 @@ process: original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long - process.parent.pgid: - dashed_name: process-parent-pgid - description: 'Deprecated for removal in next major version release. This field - is superseded by `process.group_leader.pid`. - - Identifier of the group of processes the process belongs to.' - flat_name: process.parent.pgid - format: string - level: extended - name: pgid - normalize: [] - original_fieldset: process - short: Deprecated identifier of the group of processes the process belongs to. - type: long process.parent.pid: dashed_name: process-parent-pid description: Process id. @@ -14467,19 +14453,6 @@ process: original_fieldset: pe short: PE Section List virtual size. This is always the same as `physical_size`. type: long - process.pgid: - dashed_name: process-pgid - description: 'Deprecated for removal in next major version release. This field - is superseded by `process.group_leader.pid`. - - Identifier of the group of processes the process belongs to.' - flat_name: process.pgid - format: string - level: extended - name: pgid - normalize: [] - short: Deprecated identifier of the group of processes the process belongs to. - type: long process.pid: dashed_name: process-pid description: Process id. diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json index db04670fce..10b00ecc8c 100644 --- a/generated/elasticsearch/composable/component/process.json +++ b/generated/elasticsearch/composable/component/process.json @@ -1258,9 +1258,6 @@ } } }, - "pgid": { - "type": "long" - }, "pid": { "type": "long" }, @@ -1506,9 +1503,6 @@ } } }, - "pgid": { - "type": "long" - }, "pid": { "type": "long" }, diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index 18442c28ee..02f880f6ef 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -3978,9 +3978,6 @@ } } }, - "pgid": { - "type": "long" - }, "pid": { "type": "long" }, @@ -4226,9 +4223,6 @@ } } }, - "pgid": { - "type": "long" - }, "pid": { "type": "long" }, diff --git a/schemas/process.yml b/schemas/process.yml index 289204d597..439704166b 100644 --- a/schemas/process.yml +++ b/schemas/process.yml @@ -138,17 +138,6 @@ - type: match_only_text name: text - - name: pgid - format: string - level: extended - type: long - short: Deprecated identifier of the group of processes the process belongs to. - description: > - Deprecated for removal in next major version release. This field is superseded by - `process.group_leader.pid`. - - Identifier of the group of processes the process belongs to. - - name: command_line level: extended type: wildcard diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml index 63b44449fc..beea72fac0 100644 --- a/schemas/subsets/main.yml +++ b/schemas/subsets/main.yml @@ -317,7 +317,6 @@ fields: name: {} pe: fields: "*" - pgid: {} pid: {} vpid: {} start: {} @@ -368,7 +367,6 @@ fields: name: {} pe: fields: "*" - pgid: {} pid: {} vpid: {} previous: From 9347ad003bdd540a594541094efa1d48e04a308d Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Sat, 8 Feb 2025 04:30:15 +0900 Subject: [PATCH 05/12] [RFC] Stage 2: Introducing new fields in file/dll/process fields (#2441) --- CHANGELOG.next.md | 1 + docs/fields/field-details.asciidoc | 72 +++++++++++++ .../otel-mapping-summary.asciidoc | 4 +- experimental/generated/beats/fields.ecs.yml | 56 ++++++++++ experimental/generated/csv/fields.csv | 8 ++ experimental/generated/ecs/ecs_flat.yml | 100 ++++++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 100 ++++++++++++++++++ .../composable/component/dll.json | 8 ++ .../composable/component/file.json | 8 ++ .../composable/component/threat.json | 16 +++ .../elasticsearch/legacy/template.json | 32 ++++++ generated/beats/fields.ecs.yml | 56 ++++++++++ generated/csv/fields.csv | 8 ++ generated/ecs/ecs_flat.yml | 100 ++++++++++++++++++ generated/ecs/ecs_nested.yml | 100 ++++++++++++++++++ .../composable/component/dll.json | 8 ++ .../composable/component/file.json | 8 ++ .../composable/component/threat.json | 16 +++ generated/elasticsearch/legacy/template.json | 32 ++++++ rfcs/text/0048-fileorigin-fields.md | 59 +++++++++-- schemas/dll.yml | 16 +++ schemas/file.yml | 16 +++ schemas/process.yml | 16 +++ 23 files changed, 832 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 3a6eaff847..67fbb71b4d 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -19,6 +19,7 @@ Thanks, you're awesome :-) --> * Fix link rendering issues and usage of http in links. #2423 #### Added +* Add `origin_referrer_url` and `origin_url` fields, which indicate the origin information to the file, process and dll schemas #2441 #### Improvements diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index fee551b9ad..7f5679e367 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -1841,6 +1841,42 @@ example: `kernel32.dll` // =============================================================== +| +[[field-dll-origin-referrer-url]] +<> + +a| beta:[ This field is beta and subject to change. ] + +The URL of the webpage that linked to the dll file. + +type: keyword + + + +example: `http://example.com/article1.html` + +| extended + +// =============================================================== + +| +[[field-dll-origin-url]] +<> + +a| beta:[ This field is beta and subject to change. ] + +The URL where the dll file is hosted. + +type: keyword + + + +example: `http://example.com/files/example.dll` + +| extended + +// =============================================================== + | [[field-dll-path]] <> @@ -4447,6 +4483,42 @@ image:https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentele // =============================================================== +| +[[field-file-origin-referrer-url]] +<> + +a| beta:[ This field is beta and subject to change. ] + +The URL of the webpage that linked to the file. + +type: keyword + + + +example: `http://example.com/article1.html` + +| extended + +// =============================================================== + +| +[[field-file-origin-url]] +<> + +a| beta:[ This field is beta and subject to change. ] + +The URL where the file is hosted. + +type: keyword + + + +example: `http://example.com/imgs/article1_img1.jpg` + +| extended + +// =============================================================== + | [[field-file-owner]] <> diff --git a/docs/opentelemetry/otel-mapping-summary.asciidoc b/docs/opentelemetry/otel-mapping-summary.asciidoc index 342601e1b7..b1a9d9873d 100644 --- a/docs/opentelemetry/otel-mapping-summary.asciidoc +++ b/docs/opentelemetry/otel-mapping-summary.asciidoc @@ -311,7 +311,7 @@ h| Namespace | DLL -^| <> +^| <> ^| · ^| · ^| · @@ -443,7 +443,7 @@ h| Namespace | File -^| <> +^| <> ^| https://opentelemetry.io/docs/specs/semconv/attributes-registry/file[18] ^| 11 ^| 7 diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index fd704c9e3b..da8fcb2686 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1399,6 +1399,20 @@ This generally maps to the name of the file on disk.' example: kernel32.dll default_field: false + - name: origin_referrer_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL of the webpage that linked to the dll file. + example: http://example.com/article1.html + default_field: false + - name: origin_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL where the dll file is hosted. + example: http://example.com/files/example.dll + default_field: false - name: path level: extended type: keyword @@ -3021,6 +3035,20 @@ ignore_above: 1024 description: Name of the file including the extension, without the directory. example: example.png + - name: origin_referrer_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + default_field: false + - name: origin_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + default_field: false - name: owner level: extended type: keyword @@ -9645,6 +9673,20 @@ description: Name of the file including the extension, without the directory. example: example.png default_field: false + - name: enrichments.indicator.file.origin_referrer_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + default_field: false + - name: enrichments.indicator.file.origin_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + default_field: false - name: enrichments.indicator.file.owner level: extended type: keyword @@ -11267,6 +11309,20 @@ description: Name of the file including the extension, without the directory. example: example.png default_field: false + - name: indicator.file.origin_referrer_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + default_field: false + - name: indicator.file.origin_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + default_field: false - name: indicator.file.owner level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index a851e99808..c23fc84400 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -166,6 +166,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.0.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. 9.0.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash. 9.0.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +9.0.0-dev+exp,true,dll,dll.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the dll file. +9.0.0-dev+exp,true,dll,dll.origin_url,keyword,extended,,http://example.com/files/example.dll,The URL where the dll file is hosted. 9.0.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. 9.0.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. 9.0.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." @@ -364,6 +366,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.0.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. 9.0.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified. 9.0.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.0.0-dev+exp,true,file,file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. +9.0.0-dev+exp,true,file,file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. 9.0.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username. 9.0.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." 9.0.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." @@ -1228,6 +1232,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. 9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified. 9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. +9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. 9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username. 9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." 9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." @@ -1447,6 +1453,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.0.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. 9.0.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. 9.0.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.0.0-dev+exp,true,threat,threat.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. +9.0.0-dev+exp,true,threat,threat.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. 9.0.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. 9.0.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." 9.0.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 232ace1ad6..1c383350b5 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -2112,6 +2112,30 @@ dll.name: normalize: [] short: Name of the library. type: keyword +dll.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: dll-origin-referrer-url + description: The URL of the webpage that linked to the dll file. + example: http://example.com/article1.html + flat_name: dll.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + short: The URL of the webpage that linked to the dll file. + type: keyword +dll.origin_url: + beta: This field is beta and subject to change. + dashed_name: dll-origin-url + description: The URL where the dll file is hosted. + example: http://example.com/files/example.dll + flat_name: dll.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + short: The URL where the dll file is hosted. + type: keyword dll.path: dashed_name: dll-path description: Full file path of the library. @@ -5151,6 +5175,30 @@ file.name: stability: experimental short: Name of the file including the extension, without the directory. type: keyword +file.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: file-origin-referrer-url + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + flat_name: file.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + short: The URL of the webpage that linked to the file. + type: keyword +file.origin_url: + beta: This field is beta and subject to change. + dashed_name: file-origin-url + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + flat_name: file.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + short: The URL where the file is hosted. + type: keyword file.owner: dashed_name: file-owner description: File owner's username. @@ -16028,6 +16076,32 @@ threat.enrichments.indicator.file.name: original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword +threat.enrichments.indicator.file.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-origin-referrer-url + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + flat_name: threat.enrichments.indicator.file.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: file + short: The URL of the webpage that linked to the file. + type: keyword +threat.enrichments.indicator.file.origin_url: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-origin-url + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + flat_name: threat.enrichments.indicator.file.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: file + short: The URL where the file is hosted. + type: keyword threat.enrichments.indicator.file.owner: dashed_name: threat-enrichments-indicator-file-owner description: File owner's username. @@ -18765,6 +18839,32 @@ threat.indicator.file.name: original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword +threat.indicator.file.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-origin-referrer-url + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + flat_name: threat.indicator.file.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: file + short: The URL of the webpage that linked to the file. + type: keyword +threat.indicator.file.origin_url: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-origin-url + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + flat_name: threat.indicator.file.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: file + short: The URL where the file is hosted. + type: keyword threat.indicator.file.owner: dashed_name: threat-indicator-file-owner description: File owner's username. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index a6331615c2..d5e6aaac47 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2611,6 +2611,30 @@ dll: normalize: [] short: Name of the library. type: keyword + dll.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: dll-origin-referrer-url + description: The URL of the webpage that linked to the dll file. + example: http://example.com/article1.html + flat_name: dll.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + short: The URL of the webpage that linked to the dll file. + type: keyword + dll.origin_url: + beta: This field is beta and subject to change. + dashed_name: dll-origin-url + description: The URL where the dll file is hosted. + example: http://example.com/files/example.dll + flat_name: dll.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + short: The URL where the dll file is hosted. + type: keyword dll.path: dashed_name: dll-path description: Full file path of the library. @@ -6212,6 +6236,30 @@ file: stability: experimental short: Name of the file including the extension, without the directory. type: keyword + file.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: file-origin-referrer-url + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + flat_name: file.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + short: The URL of the webpage that linked to the file. + type: keyword + file.origin_url: + beta: This field is beta and subject to change. + dashed_name: file-origin-url + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + flat_name: file.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + short: The URL where the file is hosted. + type: keyword file.owner: dashed_name: file-owner description: File owner's username. @@ -18769,6 +18817,32 @@ threat: original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword + threat.enrichments.indicator.file.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-origin-referrer-url + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + flat_name: threat.enrichments.indicator.file.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: file + short: The URL of the webpage that linked to the file. + type: keyword + threat.enrichments.indicator.file.origin_url: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-origin-url + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + flat_name: threat.enrichments.indicator.file.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: file + short: The URL where the file is hosted. + type: keyword threat.enrichments.indicator.file.owner: dashed_name: threat-enrichments-indicator-file-owner description: File owner's username. @@ -21514,6 +21588,32 @@ threat: original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword + threat.indicator.file.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-origin-referrer-url + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + flat_name: threat.indicator.file.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: file + short: The URL of the webpage that linked to the file. + type: keyword + threat.indicator.file.origin_url: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-origin-url + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + flat_name: threat.indicator.file.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: file + short: The URL where the file is hosted. + type: keyword threat.indicator.file.owner: dashed_name: threat-indicator-file-owner description: File owner's username. diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json index 7f09c08d43..e29845afad 100644 --- a/experimental/generated/elasticsearch/composable/component/dll.json +++ b/experimental/generated/elasticsearch/composable/component/dll.json @@ -88,6 +88,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "path": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json index 87b131c471..4f458e0248 100644 --- a/experimental/generated/elasticsearch/composable/component/file.json +++ b/experimental/generated/elasticsearch/composable/component/file.json @@ -349,6 +349,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "owner": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json index 81fd8f4631..02559871a7 100644 --- a/experimental/generated/elasticsearch/composable/component/threat.json +++ b/experimental/generated/elasticsearch/composable/component/threat.json @@ -333,6 +333,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "owner": { "ignore_above": 1024, "type": "keyword" @@ -1264,6 +1272,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "owner": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index fdf0899b3c..9fd27b6a14 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -874,6 +874,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "path": { "ignore_above": 1024, "type": "keyword" @@ -1713,6 +1721,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "owner": { "ignore_above": 1024, "type": "keyword" @@ -5616,6 +5632,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "owner": { "ignore_above": 1024, "type": "keyword" @@ -6547,6 +6571,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "owner": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 9c72e1d110..ddcd580f9d 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1349,6 +1349,20 @@ This generally maps to the name of the file on disk.' example: kernel32.dll default_field: false + - name: origin_referrer_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL of the webpage that linked to the dll file. + example: http://example.com/article1.html + default_field: false + - name: origin_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL where the dll file is hosted. + example: http://example.com/files/example.dll + default_field: false - name: path level: extended type: keyword @@ -2971,6 +2985,20 @@ ignore_above: 1024 description: Name of the file including the extension, without the directory. example: example.png + - name: origin_referrer_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + default_field: false + - name: origin_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + default_field: false - name: owner level: extended type: keyword @@ -9595,6 +9623,20 @@ description: Name of the file including the extension, without the directory. example: example.png default_field: false + - name: enrichments.indicator.file.origin_referrer_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + default_field: false + - name: enrichments.indicator.file.origin_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + default_field: false - name: enrichments.indicator.file.owner level: extended type: keyword @@ -11217,6 +11259,20 @@ description: Name of the file including the extension, without the directory. example: example.png default_field: false + - name: indicator.file.origin_referrer_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + default_field: false + - name: indicator.file.origin_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + default_field: false - name: indicator.file.owner level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index e88f3df281..1b7b9815da 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -159,6 +159,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.0.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. 9.0.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash. 9.0.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +9.0.0-dev,true,dll,dll.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the dll file. +9.0.0-dev,true,dll,dll.origin_url,keyword,extended,,http://example.com/files/example.dll,The URL where the dll file is hosted. 9.0.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. 9.0.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. 9.0.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." @@ -357,6 +359,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.0.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. 9.0.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. 9.0.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.0.0-dev,true,file,file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. +9.0.0-dev,true,file,file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. 9.0.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. 9.0.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." 9.0.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." @@ -1221,6 +1225,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.0.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. 9.0.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified. 9.0.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.0.0-dev,true,threat,threat.enrichments.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. +9.0.0-dev,true,threat,threat.enrichments.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. 9.0.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username. 9.0.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." 9.0.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." @@ -1440,6 +1446,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.0.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. 9.0.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. 9.0.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.0.0-dev,true,threat,threat.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. +9.0.0-dev,true,threat,threat.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. 9.0.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. 9.0.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." 9.0.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 678a7c0a84..b12d8e90a2 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2043,6 +2043,30 @@ dll.name: normalize: [] short: Name of the library. type: keyword +dll.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: dll-origin-referrer-url + description: The URL of the webpage that linked to the dll file. + example: http://example.com/article1.html + flat_name: dll.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + short: The URL of the webpage that linked to the dll file. + type: keyword +dll.origin_url: + beta: This field is beta and subject to change. + dashed_name: dll-origin-url + description: The URL where the dll file is hosted. + example: http://example.com/files/example.dll + flat_name: dll.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + short: The URL where the dll file is hosted. + type: keyword dll.path: dashed_name: dll-path description: Full file path of the library. @@ -5082,6 +5106,30 @@ file.name: stability: experimental short: Name of the file including the extension, without the directory. type: keyword +file.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: file-origin-referrer-url + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + flat_name: file.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + short: The URL of the webpage that linked to the file. + type: keyword +file.origin_url: + beta: This field is beta and subject to change. + dashed_name: file-origin-url + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + flat_name: file.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + short: The URL where the file is hosted. + type: keyword file.owner: dashed_name: file-owner description: File owner's username. @@ -15959,6 +16007,32 @@ threat.enrichments.indicator.file.name: original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword +threat.enrichments.indicator.file.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-origin-referrer-url + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + flat_name: threat.enrichments.indicator.file.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: file + short: The URL of the webpage that linked to the file. + type: keyword +threat.enrichments.indicator.file.origin_url: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-origin-url + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + flat_name: threat.enrichments.indicator.file.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: file + short: The URL where the file is hosted. + type: keyword threat.enrichments.indicator.file.owner: dashed_name: threat-enrichments-indicator-file-owner description: File owner's username. @@ -18696,6 +18770,32 @@ threat.indicator.file.name: original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword +threat.indicator.file.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-origin-referrer-url + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + flat_name: threat.indicator.file.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: file + short: The URL of the webpage that linked to the file. + type: keyword +threat.indicator.file.origin_url: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-origin-url + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + flat_name: threat.indicator.file.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: file + short: The URL where the file is hosted. + type: keyword threat.indicator.file.owner: dashed_name: threat-indicator-file-owner description: File owner's username. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index cc958b9e02..fb97c570fa 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2531,6 +2531,30 @@ dll: normalize: [] short: Name of the library. type: keyword + dll.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: dll-origin-referrer-url + description: The URL of the webpage that linked to the dll file. + example: http://example.com/article1.html + flat_name: dll.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + short: The URL of the webpage that linked to the dll file. + type: keyword + dll.origin_url: + beta: This field is beta and subject to change. + dashed_name: dll-origin-url + description: The URL where the dll file is hosted. + example: http://example.com/files/example.dll + flat_name: dll.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + short: The URL where the dll file is hosted. + type: keyword dll.path: dashed_name: dll-path description: Full file path of the library. @@ -6132,6 +6156,30 @@ file: stability: experimental short: Name of the file including the extension, without the directory. type: keyword + file.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: file-origin-referrer-url + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + flat_name: file.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + short: The URL of the webpage that linked to the file. + type: keyword + file.origin_url: + beta: This field is beta and subject to change. + dashed_name: file-origin-url + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + flat_name: file.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + short: The URL where the file is hosted. + type: keyword file.owner: dashed_name: file-owner description: File owner's username. @@ -18689,6 +18737,32 @@ threat: original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword + threat.enrichments.indicator.file.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-origin-referrer-url + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + flat_name: threat.enrichments.indicator.file.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: file + short: The URL of the webpage that linked to the file. + type: keyword + threat.enrichments.indicator.file.origin_url: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-origin-url + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + flat_name: threat.enrichments.indicator.file.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: file + short: The URL where the file is hosted. + type: keyword threat.enrichments.indicator.file.owner: dashed_name: threat-enrichments-indicator-file-owner description: File owner's username. @@ -21434,6 +21508,32 @@ threat: original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword + threat.indicator.file.origin_referrer_url: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-origin-referrer-url + description: The URL of the webpage that linked to the file. + example: http://example.com/article1.html + flat_name: threat.indicator.file.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + original_fieldset: file + short: The URL of the webpage that linked to the file. + type: keyword + threat.indicator.file.origin_url: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-origin-url + description: The URL where the file is hosted. + example: http://example.com/imgs/article1_img1.jpg + flat_name: threat.indicator.file.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + original_fieldset: file + short: The URL where the file is hosted. + type: keyword threat.indicator.file.owner: dashed_name: threat-indicator-file-owner description: File owner's username. diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json index 5c670260ab..7a25221e0a 100644 --- a/generated/elasticsearch/composable/component/dll.json +++ b/generated/elasticsearch/composable/component/dll.json @@ -88,6 +88,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "path": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json index 7dfdab45b5..65f6d93ac6 100644 --- a/generated/elasticsearch/composable/component/file.json +++ b/generated/elasticsearch/composable/component/file.json @@ -349,6 +349,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "owner": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json index 4d79b76e78..5831dbf2c4 100644 --- a/generated/elasticsearch/composable/component/threat.json +++ b/generated/elasticsearch/composable/component/threat.json @@ -333,6 +333,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "owner": { "ignore_above": 1024, "type": "keyword" @@ -1264,6 +1272,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "owner": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index 02f880f6ef..e67f1f33c5 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -832,6 +832,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "path": { "ignore_above": 1024, "type": "keyword" @@ -1671,6 +1679,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "owner": { "ignore_above": 1024, "type": "keyword" @@ -5574,6 +5590,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "owner": { "ignore_above": 1024, "type": "keyword" @@ -6505,6 +6529,14 @@ "ignore_above": 1024, "type": "keyword" }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, "owner": { "ignore_above": 1024, "type": "keyword" diff --git a/rfcs/text/0048-fileorigin-fields.md b/rfcs/text/0048-fileorigin-fields.md index 4df7c5ef7f..e47e92414d 100644 --- a/rfcs/text/0048-fileorigin-fields.md +++ b/rfcs/text/0048-fileorigin-fields.md @@ -1,8 +1,8 @@ # 0048: File Origin Fields -- Stage: **1 (Draft)** -- Date: **2024-XX-XX** +- Stage: **2 (Candidate)** +- Date: **2025-02-07* +The following is the real world example and usage for these fields. + +### File (use case) +As mentioned above, when a file is downloaded from a web browser, the source URL information is recorded and attached to it. +* **Windows(Added in the file's Alternate Data Stream)** +image + +* **MacOS (Added in the file's extended attributes)** +image + +The image source is as follows (since I don't have MacOS device): +https://stackoverflow.com/questions/70444996/obtaining-metadata-where-from-of-a-file-on-mac + +These fields could be invaluable in determining whether a file was downloaded from a malicious website or if a previously downloaded file originated from a newly identified malicious site. For example, suppose `https://outlook.office.com/` was discovered today to be malicious. These fields would help answer questions like, "How many files were downloaded from this website?" +![image](https://github.com/user-attachments/assets/9a546e7d-a0dd-4a1a-929d-12d8cbcc7c72) + +Note - These fields are currently intended for use in file creation events, but I believe they could also be applied to file open events and other similar cases. + +### Process (use case) +A process is created from an executable file, which contains the program's code and instructions. +Running a legitimate executable file is not an issue, but there is a risk that the file could be malware downloaded from a malicious website set up by an attacker. Therefore, if an executable file was downloaded from the internet, verifying its source is important for security. + +Therefore, for security purposes, we would like to add these file origin fields to the process creation event. During process creation, the path of the executable file from which the process originates is typically included as following, and we expect to use this to identify the executable file path and collect the file origin information. + +![image](https://github.com/user-attachments/assets/d95e35bc-7f92-4708-ba2c-3cc51c96ed62) + +### DLL (use case) +DLL (shared code libraries) events indicate information about the libraries loaded by a process, and each event field contains details about the loaded DLL. As written in ECS(dll) yaml file, shared code libraries are used across all major operating systems, and each OS refers to them as follows: +* Windows: Commonly, Dynamic-link library (`.dll`) +* Unix-like operating systems: Commonly, Shared Object (`.so`) +* MacOS: Commonly, dynamic library (`.dylib`) + +For reference, I investigated how many DLLs the Windows notepad.exe process loads. The results showed that over 100 DLLs are loaded. This indicates that checking which DLLs are loaded is crucial for both security and observability when analyzing a process's behavior. + +![image](https://github.com/user-attachments/assets/7b5dadea-fd27-4c63-8d14-0b66ce39caef) + +In security use cases, it is used to determine whether a DLL loaded by a process is a malicious one prepared by an attacker. +You might think that a legitimate process wouldn't load an unrelated third-party library, but in reality, there are techniques to force such libraries to be loaded (for example, a method known as DLL injection). Thus, in Elastic Defend, we monitor the behavior of processes loading DLLs in order to detect such attack techniques. + +Additionally, there have been recent cases where legitimate programs were tampered with to load libraries prepared by attackers. For more details, please refer to the explanation below. +https://www.elastic.co/security-labs/sinking-macos-pirate-ships + +Note - These fields are currently intended for use in DLL load events. + + @@ -116,8 +161,8 @@ The following are the people that consulted on the contents of this RFC. * @AsuNa-jp | author * @joe-desimone -* @trisch-me -* @mjwolf +* @trisch-me +* @mjwolf +* Stage 0: https://github.com/elastic/ecs/pull/2387 * Stage 1: https://github.com/elastic/ecs/pull/2395 +* Stage 2: https://github.com/elastic/ecs/pull/2441 #### Improvements +* Promote beta fields to GA. #2411 * Define base encoding of `x509.serial_number`. #2383 * Restrict the encoding of `x509.serial_number` to base 16. #2398 * Set synthetic_source_keep = none on fields that represent sets. #2422 diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index 7f5679e367..1066096481 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -821,17 +821,15 @@ Note also that the `cloud` fields may be used directly at the root of the events | `cloud.origin.*` -| <>| beta:[ Reusing the `cloud` fields in this location is currently considered beta.] - -Provides the cloud information of the origin entity in case of an incoming request or event. +| <> +| Provides the cloud information of the origin entity in case of an incoming request or event. // =============================================================== | `cloud.target.*` -| <>| beta:[ Reusing the `cloud` fields in this location is currently considered beta.] - -Provides the cloud information of the target entity in case of an outgoing request or event. +| <> +| Provides the cloud information of the target entity in case of an outgoing request or event. // =============================================================== @@ -2327,8 +2325,6 @@ image:https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentele These fields contain Linux Executable Linkable Format (ELF) metadata. -beta::[ These fields are in beta and are subject to change.] - [discrete] ==== ELF Header Field Details @@ -4020,8 +4016,6 @@ example: `https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38f The user fields describe information about the function as a service (FaaS) that is relevant to the event. -beta::[ These fields are in beta and are subject to change.] - [discrete] ==== FaaS Field Details @@ -4673,9 +4667,8 @@ Note also that the `file` fields may be used directly at the root of the events. | `file.elf.*` -| <>| beta:[ This field reuse is beta and subject to change.] - -These fields contain Linux Executable Linkable Format (ELF) metadata. +| <> +| These fields contain Linux Executable Linkable Format (ELF) metadata. // =============================================================== @@ -5242,9 +5235,7 @@ image:https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentele [[field-host-boot-id]] <> -a| beta:[ This field is beta and subject to change. ] - -Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container. +a| Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container. type: keyword @@ -5512,9 +5503,7 @@ image:https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentele [[field-host-pid-ns-ino]] <> -a| beta:[ This field is beta and subject to change. ] - -This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. +a| This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. type: keyword @@ -9070,9 +9059,8 @@ The externally attested user based on an external source such as the Kube API. | `process.elf.*` -| <>| beta:[ This field reuse is beta and subject to change.] - -These fields contain Linux Executable Linkable Format (ELF) metadata. +| <> +| These fields contain Linux Executable Linkable Format (ELF) metadata. // =============================================================== @@ -13407,8 +13395,6 @@ Note also that the `vlan` fields are not expected to be used directly at the roo Fields related to storage volume details. -beta::[ These fields are beta and are subject to change.] - [discrete] ==== Volume Field Details diff --git a/docs/fields/field-values.asciidoc b/docs/fields/field-values.asciidoc index 0a4030ba06..c05396aa7e 100644 --- a/docs/fields/field-values.asciidoc +++ b/docs/fields/field-values.asciidoc @@ -64,8 +64,6 @@ This value is not used by Elastic solutions for alert documents that are created [[ecs-event-kind-asset]] ==== asset -beta:[ This event categorization value is beta and subject to change. ] - This value indicates events whose primary purpose is to store an inventory of assets/entities and their attributes. Assets/entities are objects (such as users and hosts) that are expected to be subjects of detailed analysis within the system. Examples include lists of user identities or accounts ingested from directory services such as Active Directory (AD), inventory of hosts pulled from configuration management databases (CMDB), and lists of cloud storage buckets pulled from cloud provider APIs. diff --git a/docs/opentelemetry/otel-fields-mapping.asciidoc b/docs/opentelemetry/otel-fields-mapping.asciidoc index e871993a42..4e6d5f047a 100644 --- a/docs/opentelemetry/otel-fields-mapping.asciidoc +++ b/docs/opentelemetry/otel-fields-mapping.asciidoc @@ -540,7 +540,7 @@ Note: The `body` in OTLP is of type `Any` and can be either an unstructured log .1+| [[otel-mapping-for-faas-coldstart]] -<> [beta] +<> @@ -554,7 +554,7 @@ Note: The `body` in OTLP is of type `Any` and can be either an unstructured log // =============================================================== .1+| [[otel-mapping-for-faas-execution]] -<> [beta] +<> @@ -568,7 +568,7 @@ Note: The `body` in OTLP is of type `Any` and can be either an unstructured log // =============================================================== .1+| [[otel-mapping-for-faas-name]] -<> [beta] +<> @@ -582,7 +582,7 @@ Note: The `body` in OTLP is of type `Any` and can be either an unstructured log // =============================================================== .1+| [[otel-mapping-for-faas-trigger-type]] -<> [beta] +<> @@ -596,7 +596,7 @@ Note: The `body` in OTLP is of type `Any` and can be either an unstructured log // =============================================================== .1+| [[otel-mapping-for-faas-version]] -<> [beta] +<> diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 1c383350b5..036b33927f 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3515,8 +3515,7 @@ event.kind: This value is not used by Elastic solutions for alert documents that are created by rules executing within the Kibana alerting framework.' name: alert - - beta: This event categorization value is beta and subject to change. - description: 'This value indicates events whose primary purpose is to store an + - description: 'This value indicates events whose primary purpose is to store an inventory of assets/entities and their attributes. Assets/entities are objects (such as users and hosts) that are expected to be subjects of detailed analysis within the system. @@ -5931,7 +5930,6 @@ host.architecture: short: Operating system architecture. type: keyword host.boot.id: - beta: This field is beta and subject to change. dashed_name: host-boot-id description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. @@ -6390,7 +6388,6 @@ host.os.version: short: Operating system version as a raw string. type: keyword host.pid_ns_ino: - beta: This field is beta and subject to change. dashed_name: host-pid-ns-ino description: This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index d5e6aaac47..4c31d47783 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1321,25 +1321,21 @@ cloud: expected: - as: origin at: cloud - beta: Reusing the `cloud` fields in this location is currently considered beta. full: cloud.origin short_override: Provides the cloud information of the origin entity in case of an incoming request or event. - as: target at: cloud - beta: Reusing the `cloud` fields in this location is currently considered beta. full: cloud.target short_override: Provides the cloud information of the target entity in case of an outgoing request or event. top_level: true reused_here: - - beta: Reusing the `cloud` fields in this location is currently considered beta. - full: cloud.origin + - full: cloud.origin schema_name: cloud short: Provides the cloud information of the origin entity in case of an incoming request or event. - - beta: Reusing the `cloud` fields in this location is currently considered beta. - full: cloud.target + - full: cloud.target schema_name: cloud short: Provides the cloud information of the target entity in case of an outgoing request or event. @@ -3259,7 +3255,6 @@ ecs: title: ECS type: group elf: - beta: These fields are in beta and are subject to change. description: These fields contain Linux Executable Linkable Format (ELF) metadata. fields: elf.architecture: @@ -3674,11 +3669,9 @@ elf: expected: - as: elf at: file - beta: This field reuse is beta and subject to change. full: file.elf - as: elf at: process - beta: This field reuse is beta and subject to change. full: process.elf top_level: false short: These fields contain Linux Executable Linkable Format (ELF) metadata. @@ -4538,8 +4531,7 @@ event: This value is not used by Elastic solutions for alert documents that are created by rules executing within the Kibana alerting framework.' name: alert - - beta: This event categorization value is beta and subject to change. - description: 'This value indicates events whose primary purpose is to store + - description: 'This value indicates events whose primary purpose is to store an inventory of assets/entities and their attributes. Assets/entities are objects (such as users and hosts) that are expected to be subjects of detailed analysis within the system. @@ -5001,7 +4993,6 @@ event: title: Event type: group faas: - beta: These fields are in beta and are subject to change. description: The user fields describe information about the function as a service (FaaS) that is relevant to the event. fields: @@ -6978,8 +6969,7 @@ file: - full: file.code_signature schema_name: code_signature short: These fields contain information about binary code signatures. - - beta: This field reuse is beta and subject to change. - full: file.elf + - full: file.elf schema_name: elf short: These fields contain Linux Executable Linkable Format (ELF) metadata. - beta: This field reuse is beta and subject to change. @@ -7397,7 +7387,6 @@ host: short: Operating system architecture. type: keyword host.boot.id: - beta: This field is beta and subject to change. dashed_name: host-boot-id description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on @@ -7858,7 +7847,6 @@ host: short: Operating system version as a raw string. type: keyword host.pid_ns_ino: - beta: This field is beta and subject to change. dashed_name: host-pid-ns-ino description: This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. @@ -15666,8 +15654,7 @@ process: - full: process.code_signature schema_name: code_signature short: These fields contain information about binary code signatures. - - beta: This field reuse is beta and subject to change. - full: process.elf + - full: process.elf schema_name: elf short: These fields contain Linux Executable Linkable Format (ELF) metadata. - beta: This field reuse is beta and subject to change. @@ -25860,7 +25847,6 @@ vlan: title: VLAN type: group volume: - beta: These fields are beta and are subject to change. description: Fields related to storage volume details. fields: volume.bus_type: diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index b12d8e90a2..a1c14a8c24 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3446,8 +3446,7 @@ event.kind: This value is not used by Elastic solutions for alert documents that are created by rules executing within the Kibana alerting framework.' name: alert - - beta: This event categorization value is beta and subject to change. - description: 'This value indicates events whose primary purpose is to store an + - description: 'This value indicates events whose primary purpose is to store an inventory of assets/entities and their attributes. Assets/entities are objects (such as users and hosts) that are expected to be subjects of detailed analysis within the system. @@ -5862,7 +5861,6 @@ host.architecture: short: Operating system architecture. type: keyword host.boot.id: - beta: This field is beta and subject to change. dashed_name: host-boot-id description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. @@ -6321,7 +6319,6 @@ host.os.version: short: Operating system version as a raw string. type: keyword host.pid_ns_ino: - beta: This field is beta and subject to change. dashed_name: host-pid-ns-ino description: This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index fb97c570fa..ff5ae4e175 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1241,25 +1241,21 @@ cloud: expected: - as: origin at: cloud - beta: Reusing the `cloud` fields in this location is currently considered beta. full: cloud.origin short_override: Provides the cloud information of the origin entity in case of an incoming request or event. - as: target at: cloud - beta: Reusing the `cloud` fields in this location is currently considered beta. full: cloud.target short_override: Provides the cloud information of the target entity in case of an outgoing request or event. top_level: true reused_here: - - beta: Reusing the `cloud` fields in this location is currently considered beta. - full: cloud.origin + - full: cloud.origin schema_name: cloud short: Provides the cloud information of the origin entity in case of an incoming request or event. - - beta: Reusing the `cloud` fields in this location is currently considered beta. - full: cloud.target + - full: cloud.target schema_name: cloud short: Provides the cloud information of the target entity in case of an outgoing request or event. @@ -3179,7 +3175,6 @@ ecs: title: ECS type: group elf: - beta: These fields are in beta and are subject to change. description: These fields contain Linux Executable Linkable Format (ELF) metadata. fields: elf.architecture: @@ -3594,11 +3589,9 @@ elf: expected: - as: elf at: file - beta: This field reuse is beta and subject to change. full: file.elf - as: elf at: process - beta: This field reuse is beta and subject to change. full: process.elf top_level: false short: These fields contain Linux Executable Linkable Format (ELF) metadata. @@ -4458,8 +4451,7 @@ event: This value is not used by Elastic solutions for alert documents that are created by rules executing within the Kibana alerting framework.' name: alert - - beta: This event categorization value is beta and subject to change. - description: 'This value indicates events whose primary purpose is to store + - description: 'This value indicates events whose primary purpose is to store an inventory of assets/entities and their attributes. Assets/entities are objects (such as users and hosts) that are expected to be subjects of detailed analysis within the system. @@ -4921,7 +4913,6 @@ event: title: Event type: group faas: - beta: These fields are in beta and are subject to change. description: The user fields describe information about the function as a service (FaaS) that is relevant to the event. fields: @@ -6898,8 +6889,7 @@ file: - full: file.code_signature schema_name: code_signature short: These fields contain information about binary code signatures. - - beta: This field reuse is beta and subject to change. - full: file.elf + - full: file.elf schema_name: elf short: These fields contain Linux Executable Linkable Format (ELF) metadata. - beta: This field reuse is beta and subject to change. @@ -7317,7 +7307,6 @@ host: short: Operating system architecture. type: keyword host.boot.id: - beta: This field is beta and subject to change. dashed_name: host-boot-id description: Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on @@ -7778,7 +7767,6 @@ host: short: Operating system version as a raw string. type: keyword host.pid_ns_ino: - beta: This field is beta and subject to change. dashed_name: host-pid-ns-ino description: This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. @@ -15586,8 +15574,7 @@ process: - full: process.code_signature schema_name: code_signature short: These fields contain information about binary code signatures. - - beta: This field reuse is beta and subject to change. - full: process.elf + - full: process.elf schema_name: elf short: These fields contain Linux Executable Linkable Format (ELF) metadata. - beta: This field reuse is beta and subject to change. @@ -25780,7 +25767,6 @@ vlan: title: VLAN type: group volume: - beta: These fields are beta and are subject to change. description: Fields related to storage volume details. fields: volume.bus_type: diff --git a/schemas/cloud.yml b/schemas/cloud.yml index 2a7f2d29b4..d41661cedc 100644 --- a/schemas/cloud.yml +++ b/schemas/cloud.yml @@ -44,11 +44,9 @@ expected: - at: cloud as: origin - beta: Reusing the `cloud` fields in this location is currently considered beta. short_override: Provides the cloud information of the origin entity in case of an incoming request or event. - at: cloud as: target - beta: Reusing the `cloud` fields in this location is currently considered beta. short_override: Provides the cloud information of the target entity in case of an outgoing request or event. type: group fields: diff --git a/schemas/elf.yml b/schemas/elf.yml index a8594bd029..cd81f6b41d 100644 --- a/schemas/elf.yml +++ b/schemas/elf.yml @@ -20,18 +20,14 @@ group: 2 description: > These fields contain Linux Executable Linkable Format (ELF) metadata. - beta: > - These fields are in beta and are subject to change. type: group reusable: top_level: false expected: - at: file as: elf - beta: This field reuse is beta and subject to change. - at: process as: elf - beta: This field reuse is beta and subject to change. fields: - name: creation_date short: Build or compile date. diff --git a/schemas/event.yml b/schemas/event.yml index 93b8286387..6cf15db9f7 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -99,8 +99,6 @@ `event.kind: asset` is not used for normal system events or logs that are coming from an asset/entity, nor is it used for system events or logs coming from a directory or CMDB system. - beta: > - This event categorization value is beta and subject to change. - name: enrichment description: > The `enrichment` value indicates an event collected to provide additional diff --git a/schemas/faas.yml b/schemas/faas.yml index 302930abb4..511f14e7a9 100644 --- a/schemas/faas.yml +++ b/schemas/faas.yml @@ -22,8 +22,6 @@ description: > The user fields describe information about the function as a service (FaaS) that is relevant to the event. - beta: > - These fields are in beta and are subject to change. type: group fields: - name: name diff --git a/schemas/host.yml b/schemas/host.yml index 560aee1483..48098f8e41 100644 --- a/schemas/host.yml +++ b/schemas/host.yml @@ -225,7 +225,6 @@ type: keyword short: Linux boot uuid taken from /proc/sys/kernel/random/boot_id example: 88a1f0ed-5ae5-41ee-af6b-41921c311872 - beta: This field is beta and subject to change. description: > Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container. @@ -234,6 +233,5 @@ type: keyword short: Pid namespace inode example: 256383 - beta: This field is beta and subject to change. description: > This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h. diff --git a/schemas/volume.yml b/schemas/volume.yml index f2e6dadfa1..557c9053bc 100644 --- a/schemas/volume.yml +++ b/schemas/volume.yml @@ -20,8 +20,6 @@ group: 2 description: > Fields related to storage volume details. - beta: > - These fields are beta and are subject to change. type: group fields: - name: mount_name From be3c0a1c7b083988722fb1c7634738eaa39a638d Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Thu, 27 Feb 2025 12:59:49 -0800 Subject: [PATCH 09/12] Update version to 9.1.0 (#2445) --- docs/fields/fields.asciidoc | 2 +- docs/index.asciidoc | 2 +- .../otel-fields-mapping.asciidoc | 2 +- .../otel-mapping-summary.asciidoc | 2 +- experimental/generated/beats/fields.ecs.yml | 2 +- experimental/generated/csv/fields.csv | 3586 ++++++++--------- .../composable/component/agent.json | 2 +- .../composable/component/base.json | 2 +- .../composable/component/cgroup.json | 2 +- .../composable/component/client.json | 2 +- .../composable/component/cloud.json | 2 +- .../composable/component/container.json | 2 +- .../composable/component/data_stream.json | 2 +- .../composable/component/destination.json | 2 +- .../composable/component/device.json | 2 +- .../composable/component/dll.json | 2 +- .../composable/component/dns.json | 2 +- .../composable/component/ecs.json | 2 +- .../composable/component/email.json | 2 +- .../composable/component/error.json | 2 +- .../composable/component/event.json | 2 +- .../composable/component/faas.json | 2 +- .../composable/component/file.json | 2 +- .../composable/component/group.json | 2 +- .../composable/component/host.json | 2 +- .../composable/component/http.json | 2 +- .../composable/component/log.json | 2 +- .../composable/component/network.json | 2 +- .../composable/component/observer.json | 2 +- .../composable/component/orchestrator.json | 2 +- .../composable/component/organization.json | 2 +- .../composable/component/package.json | 2 +- .../composable/component/process.json | 2 +- .../composable/component/registry.json | 2 +- .../composable/component/related.json | 2 +- .../composable/component/rule.json | 2 +- .../composable/component/server.json | 2 +- .../composable/component/service.json | 2 +- .../composable/component/source.json | 2 +- .../composable/component/threat.json | 2 +- .../composable/component/tls.json | 2 +- .../composable/component/tracing.json | 2 +- .../composable/component/url.json | 2 +- .../composable/component/user.json | 2 +- .../composable/component/user_agent.json | 2 +- .../composable/component/volume.json | 2 +- .../composable/component/vulnerability.json | 2 +- .../elasticsearch/composable/template.json | 84 +- .../elasticsearch/legacy/template.json | 2 +- generated/beats/fields.ecs.yml | 2 +- generated/csv/fields.csv | 3572 ++++++++-------- .../composable/component/agent.json | 2 +- .../composable/component/base.json | 2 +- .../composable/component/client.json | 2 +- .../composable/component/cloud.json | 2 +- .../composable/component/container.json | 2 +- .../composable/component/data_stream.json | 2 +- .../composable/component/destination.json | 2 +- .../composable/component/device.json | 2 +- .../composable/component/dll.json | 2 +- .../composable/component/dns.json | 2 +- .../composable/component/ecs.json | 2 +- .../composable/component/email.json | 2 +- .../composable/component/error.json | 2 +- .../composable/component/event.json | 2 +- .../composable/component/faas.json | 2 +- .../composable/component/file.json | 2 +- .../composable/component/group.json | 2 +- .../composable/component/host.json | 2 +- .../composable/component/http.json | 2 +- .../composable/component/log.json | 2 +- .../composable/component/network.json | 2 +- .../composable/component/observer.json | 2 +- .../composable/component/orchestrator.json | 2 +- .../composable/component/organization.json | 2 +- .../composable/component/package.json | 2 +- .../composable/component/process.json | 2 +- .../composable/component/registry.json | 2 +- .../composable/component/related.json | 2 +- .../composable/component/rule.json | 2 +- .../composable/component/server.json | 2 +- .../composable/component/service.json | 2 +- .../composable/component/source.json | 2 +- .../composable/component/threat.json | 2 +- .../composable/component/tls.json | 2 +- .../composable/component/tracing.json | 2 +- .../composable/component/url.json | 2 +- .../composable/component/user.json | 2 +- .../composable/component/user_agent.json | 2 +- .../composable/component/volume.json | 2 +- .../composable/component/vulnerability.json | 2 +- .../elasticsearch/composable/template.json | 82 +- generated/elasticsearch/legacy/template.json | 2 +- version | 2 +- 94 files changed, 3752 insertions(+), 3752 deletions(-) diff --git a/docs/fields/fields.asciidoc b/docs/fields/fields.asciidoc index f99e3d4198..4aba1029c9 100644 --- a/docs/fields/fields.asciidoc +++ b/docs/fields/fields.asciidoc @@ -1,7 +1,7 @@ [[ecs-field-reference]] == {ecs} Field Reference -This is the documentation of ECS version 9.0.0-dev. +This is the documentation of ECS version 9.1.0-dev. ECS defines multiple groups of related fields. They are called "field sets". The <> field set is the only one whose fields are defined diff --git a/docs/index.asciidoc b/docs/index.asciidoc index d1e793118a..d1f7ab1dce 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -13,7 +13,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[] [[ecs-reference]] == Overview -This is the documentation of ECS version 9.0.0-dev. +This is the documentation of ECS version 9.1.0-dev. [float] === What is ECS? diff --git a/docs/opentelemetry/otel-fields-mapping.asciidoc b/docs/opentelemetry/otel-fields-mapping.asciidoc index 4e6d5f047a..d7d2d112f2 100644 --- a/docs/opentelemetry/otel-fields-mapping.asciidoc +++ b/docs/opentelemetry/otel-fields-mapping.asciidoc @@ -1,7 +1,7 @@ //// This file is automatically generated. Don't edit it manually! //// -The following table gives an overview of mappings between individual ECS fields (in ECS version `9.0.0-dev`) +The following table gives an overview of mappings between individual ECS fields (in ECS version `9.1.0-dev`) and corresponding OTel semantic convention attributes (in SemConv version `1.29.0`). [%header] diff --git a/docs/opentelemetry/otel-mapping-summary.asciidoc b/docs/opentelemetry/otel-mapping-summary.asciidoc index b1a9d9873d..3e766382d8 100644 --- a/docs/opentelemetry/otel-mapping-summary.asciidoc +++ b/docs/opentelemetry/otel-mapping-summary.asciidoc @@ -2,7 +2,7 @@ //// This file is automatically generated. Don't edit it manually! //// -The following table summarizes the alignment status by namespaces between ECS in version `9.0.0-dev` +The following table summarizes the alignment status by namespaces between ECS in version `9.1.0-dev` and OpenTelemetry semantic conventions in version `1.29.0`. [cols="10*"] diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index da8fcb2686..0098f6b40f 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 9.0.0-dev+exp. +# based on ECS version 9.1.0-dev+exp. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index c23fc84400..07136de9ad 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1,1794 +1,1794 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -9.0.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -9.0.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -9.0.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer. -9.0.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -9.0.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -9.0.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -9.0.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -9.0.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -9.0.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -9.0.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -9.0.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed. -9.0.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time. -9.0.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count." -9.0.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup. -9.0.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap. -9.0.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes -9.0.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics -9.0.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address. -9.0.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -9.0.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. -9.0.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -9.0.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -9.0.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client. -9.0.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client. -9.0.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. -9.0.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -9.0.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port -9.0.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -9.0.0-dev+exp,true,client,client.port,long,core,,,Port of the client. -9.0.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -9.0.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. -9.0.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address. -9.0.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. -9.0.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. -9.0.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." -9.0.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -9.0.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. -9.0.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -9.0.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id. -9.0.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name. -9.0.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." -9.0.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -9.0.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine. -9.0.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -9.0.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id. -9.0.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name. -9.0.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider. -9.0.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." -9.0.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name. -9.0.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. -9.0.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. -9.0.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. -9.0.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." -9.0.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name. -9.0.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id. -9.0.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name. -9.0.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." -9.0.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -9.0.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine. -9.0.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -9.0.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id. -9.0.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name. -9.0.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider. -9.0.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." -9.0.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name. -9.0.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." -9.0.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks. -9.0.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks. -9.0.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id. -9.0.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on. -9.0.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. -9.0.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags. -9.0.0-dev+exp,true,container,container.labels,object,extended,,,Image labels. -9.0.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1." -9.0.0-dev+exp,true,container,container.name,keyword,extended,,,Container name. -9.0.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. -9.0.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. -9.0.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. -9.0.0-dev+exp,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode. -9.0.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data. -9.0.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data. -9.0.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream. -9.0.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address. -9.0.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -9.0.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. -9.0.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -9.0.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -9.0.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination. -9.0.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination. -9.0.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. -9.0.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -9.0.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -9.0.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -9.0.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination. -9.0.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -9.0.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. -9.0.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address. -9.0.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device. -9.0.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer. -9.0.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model. -9.0.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model. -9.0.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device -9.0.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -9.0.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -9.0.0-dev+exp,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -9.0.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -9.0.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -9.0.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -9.0.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -9.0.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -9.0.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -9.0.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -9.0.0-dev+exp,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -9.0.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. -9.0.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. -9.0.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. -9.0.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash. -9.0.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. -9.0.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. -9.0.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash. -9.0.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. -9.0.0-dev+exp,true,dll,dll.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the dll file. -9.0.0-dev+exp,true,dll,dll.origin_url,keyword,extended,,http://example.com/files/example.dll,The URL where the dll file is hosted. -9.0.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. -9.0.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -9.0.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -9.0.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -9.0.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -9.0.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -9.0.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -9.0.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -9.0.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -9.0.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -9.0.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -9.0.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file. -9.0.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name. -9.0.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size. -9.0.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers. -9.0.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -9.0.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. -9.0.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. -9.0.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. -9.0.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -9.0.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. -9.0.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -9.0.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. -9.0.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -9.0.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. -9.0.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." -9.0.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. -9.0.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -9.0.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data -9.0.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. -9.0.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." -9.0.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -9.0.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments. -9.0.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension. -9.0.0-dev+exp,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -9.0.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash. -9.0.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash. -9.0.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash. -9.0.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash. -9.0.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash. -9.0.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -9.0.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash. -9.0.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file. -9.0.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file. -9.0.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size. -9.0.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient -9.0.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient -9.0.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message. -9.0.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered. -9.0.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message. -9.0.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address. -9.0.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source. -9.0.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header. -9.0.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed. -9.0.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to. -9.0.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender. -9.0.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message. -9.0.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message. -9.0.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient -9.0.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email. -9.0.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error. -9.0.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error. -9.0.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message. -9.0.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. -9.0.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text. -9.0.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -9.0.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -9.0.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. -9.0.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -9.0.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event. -9.0.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -9.0.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -9.0.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -9.0.0-dev+exp,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed. -9.0.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -9.0.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -9.0.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -9.0.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -9.0.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -9.0.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -9.0.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -9.0.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event. -9.0.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -9.0.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -9.0.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -9.0.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -9.0.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event. -9.0.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event. -9.0.0-dev+exp,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed. -9.0.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone. -9.0.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -9.0.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -9.0.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function. -9.0.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution. -9.0.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function. -9.0.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function. -9.0.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc." -9.0.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution. -9.0.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function. -9.0.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed. -9.0.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -9.0.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -9.0.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -9.0.0-dev+exp,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -9.0.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -9.0.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -9.0.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -9.0.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -9.0.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -9.0.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -9.0.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -9.0.0-dev+exp,true,file,file.created,date,extended,,,File creation time. -9.0.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. -9.0.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -9.0.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. -9.0.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -9.0.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -9.0.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -9.0.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -9.0.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date. -9.0.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types. -9.0.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -9.0.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -9.0.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file. -9.0.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header. -9.0.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -9.0.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -9.0.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -9.0.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file. -9.0.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header. -9.0.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -9.0.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file. -9.0.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -9.0.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -9.0.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name. -9.0.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -9.0.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -9.0.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type. -9.0.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -9.0.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -9.0.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list. -9.0.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -9.0.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type. -9.0.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -9.0.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -9.0.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -9.0.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. -9.0.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -9.0.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. -9.0.0-dev+exp,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -9.0.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. -9.0.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. -9.0.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. -9.0.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash. -9.0.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. -9.0.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -9.0.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash. -9.0.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -9.0.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. -9.0.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. -9.0.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file. -9.0.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name. -9.0.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. -9.0.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. -9.0.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -9.0.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. -9.0.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified. -9.0.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -9.0.0-dev+exp,true,file,file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. -9.0.0-dev+exp,true,file,file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. -9.0.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username. -9.0.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -9.0.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -9.0.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -9.0.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -9.0.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -9.0.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -9.0.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -9.0.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -9.0.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -9.0.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -9.0.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -9.0.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -9.0.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file. -9.0.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name. -9.0.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size. -9.0.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes. -9.0.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks. -9.0.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks. -9.0.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -9.0.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -9.0.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -9.0.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -9.0.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -9.0.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -9.0.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -9.0.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -9.0.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -9.0.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -9.0.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -9.0.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -9.0.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -9.0.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -9.0.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -9.0.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -9.0.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -9.0.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -9.0.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code -9.0.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -9.0.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -9.0.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -9.0.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -9.0.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. -9.0.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. -9.0.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id -9.0.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." -9.0.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. -9.0.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. -9.0.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -9.0.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host. -9.0.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id. -9.0.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses. -9.0.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. -9.0.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host. -9.0.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. -9.0.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. -9.0.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. -9.0.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. -9.0.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -9.0.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.0.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.0.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -9.0.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -9.0.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." -9.0.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -9.0.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." -9.0.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -9.0.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode -9.0.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. -9.0.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. -9.0.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. -9.0.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." -9.0.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." -9.0.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -9.0.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. -9.0.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. -9.0.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -9.0.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. -9.0.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body. -9.0.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -9.0.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. -9.0.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method. -9.0.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -9.0.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. -9.0.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -9.0.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. -9.0.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body. -9.0.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -9.0.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. -9.0.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -9.0.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version. -9.0.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. -9.0.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event. -9.0.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -9.0.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event. -9.0.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. -9.0.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. -9.0.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata -9.0.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message. -9.0.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. -9.0.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. -9.0.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message. -9.0.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message. -9.0.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. -9.0.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message. -9.0.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. -9.0.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. -9.0.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages. -9.0.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version. -9.0.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name. -9.0.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -9.0.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -9.0.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -9.0.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -9.0.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -9.0.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information -9.0.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -9.0.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -9.0.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -9.0.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -9.0.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name. -9.0.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -9.0.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -9.0.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -9.0.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -9.0.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information -9.0.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias -9.0.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID -9.0.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name -9.0.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -9.0.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -9.0.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone -9.0.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. -9.0.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information -9.0.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias -9.0.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID -9.0.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name -9.0.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -9.0.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -9.0.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone -9.0.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -9.0.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer. -9.0.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -9.0.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -9.0.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.0.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.0.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -9.0.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -9.0.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." -9.0.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -9.0.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." -9.0.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -9.0.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. -9.0.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. -9.0.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. -9.0.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. -9.0.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version. -9.0.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action -9.0.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster. -9.0.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster. -9.0.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster. -9.0.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster. -9.0.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place. -9.0.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups). -9.0.0-dev+exp,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource. -9.0.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon. -9.0.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed. -9.0.0-dev+exp,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource. -9.0.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon. -9.0.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed. -9.0.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon. -9.0.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)." -9.0.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -9.0.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name. -9.0.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name. -9.0.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. -9.0.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -9.0.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -9.0.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. -9.0.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." -9.0.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed. -9.0.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license -9.0.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name -9.0.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -9.0.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL -9.0.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes. -9.0.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type -9.0.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version -9.0.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -9.0.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. -9.0.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -9.0.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -9.0.0-dev+exp,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -9.0.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -9.0.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -9.0.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -9.0.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -9.0.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -9.0.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -9.0.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -9.0.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -9.0.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -9.0.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -9.0.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date. -9.0.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types. -9.0.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -9.0.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -9.0.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file. -9.0.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header. -9.0.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -9.0.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -9.0.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -9.0.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file. -9.0.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header. -9.0.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -9.0.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file. -9.0.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -9.0.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags. -9.0.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name. -9.0.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -9.0.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -9.0.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type. -9.0.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -9.0.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -9.0.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list. -9.0.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections. -9.0.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type. -9.0.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -9.0.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -9.0.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. -9.0.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -9.0.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array. -9.0.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source. -9.0.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader. -9.0.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -9.0.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name. -9.0.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name. -9.0.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id. -9.0.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id. -9.0.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev+exp,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. -9.0.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev+exp,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id. -9.0.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id. -9.0.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. -9.0.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device. -9.0.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. -9.0.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -9.0.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id. -9.0.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. -9.0.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -9.0.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings. -9.0.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process. -9.0.0-dev+exp,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -9.0.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array. -9.0.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -9.0.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name. -9.0.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name. -9.0.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id. -9.0.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. -9.0.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device. -9.0.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. -9.0.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -9.0.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id. -9.0.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. -9.0.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -9.0.0-dev+exp,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -9.0.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash. -9.0.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. -9.0.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. -9.0.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash. -9.0.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -9.0.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. -9.0.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash. -9.0.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -9.0.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process. -9.0.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped. -9.0.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped. -9.0.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped. -9.0.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting." -9.0.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8. -9.0.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event. -9.0.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. -9.0.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken. -9.0.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. -9.0.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. -9.0.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file. -9.0.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name. -9.0.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. -9.0.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. -9.0.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name. -9.0.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name. -9.0.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -9.0.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -9.0.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -9.0.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -9.0.0-dev+exp,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -9.0.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -9.0.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -9.0.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -9.0.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -9.0.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -9.0.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -9.0.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -9.0.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -9.0.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -9.0.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -9.0.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date. -9.0.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types. -9.0.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -9.0.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -9.0.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file. -9.0.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header. -9.0.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -9.0.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -9.0.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -9.0.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file. -9.0.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header. -9.0.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -9.0.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file. -9.0.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -9.0.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags. -9.0.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name. -9.0.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -9.0.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -9.0.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type. -9.0.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -9.0.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -9.0.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list. -9.0.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections. -9.0.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type. -9.0.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -9.0.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -9.0.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. -9.0.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. -9.0.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id. -9.0.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id. -9.0.0-dev+exp,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -9.0.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. -9.0.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. -9.0.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. -9.0.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash. -9.0.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -9.0.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. -9.0.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash. -9.0.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -9.0.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. -9.0.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. -9.0.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file. -9.0.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name. -9.0.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. -9.0.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. -9.0.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name. -9.0.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name. -9.0.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -9.0.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -9.0.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -9.0.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -9.0.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -9.0.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -9.0.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -9.0.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -9.0.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -9.0.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -9.0.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file. -9.0.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name. -9.0.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size. -9.0.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. -9.0.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. -9.0.0-dev+exp,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. -9.0.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -9.0.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. -9.0.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title. -9.0.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title. -9.0.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device. -9.0.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number. -9.0.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -9.0.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -9.0.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.parent.vpid,long,core,,4242,Virtual process id. -9.0.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. -9.0.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -9.0.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -9.0.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -9.0.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -9.0.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -9.0.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -9.0.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -9.0.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -9.0.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -9.0.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -9.0.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -9.0.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file. -9.0.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name. -9.0.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size. -9.0.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. -9.0.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -9.0.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array. -9.0.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -9.0.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array. -9.0.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -9.0.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name. -9.0.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name. -9.0.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id. -9.0.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id. -9.0.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev+exp,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. -9.0.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev+exp,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id. -9.0.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id. -9.0.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. -9.0.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device. -9.0.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. -9.0.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -9.0.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id. -9.0.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. -9.0.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -9.0.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. -9.0.0-dev+exp,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. -9.0.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID. -9.0.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. -9.0.0-dev+exp,true,process,process.title,keyword,extended,,,Process title. -9.0.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title. -9.0.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device. -9.0.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number. -9.0.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -9.0.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width -9.0.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height -9.0.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -9.0.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,process,process.vpid,long,core,,4242,Virtual process id. -9.0.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. -9.0.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -9.0.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -9.0.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -9.0.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -9.0.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -9.0.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -9.0.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -9.0.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. -9.0.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. -9.0.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. -9.0.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -9.0.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event. -9.0.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author -9.0.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category -9.0.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description -9.0.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID -9.0.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license -9.0.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name -9.0.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -9.0.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset -9.0.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID -9.0.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version -9.0.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address. -9.0.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -9.0.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. -9.0.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -9.0.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -9.0.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server. -9.0.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server. -9.0.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. -9.0.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip -9.0.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port -9.0.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -9.0.0-dev+exp,true,server,server.port,long,core,,,Port of the server. -9.0.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -9.0.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. -9.0.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address. -9.0.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service. -9.0.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service. -9.0.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -9.0.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -9.0.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. -9.0.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. -9.0.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. -9.0.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. -9.0.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service. -9.0.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service. -9.0.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -9.0.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -9.0.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service. -9.0.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node. -9.0.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. -9.0.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. -9.0.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service. -9.0.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service. -9.0.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service. -9.0.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service. -9.0.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service. -9.0.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service. -9.0.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -9.0.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -9.0.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service. -9.0.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node. -9.0.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. -9.0.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. -9.0.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service. -9.0.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service. -9.0.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service. -9.0.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service. -9.0.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service. -9.0.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address. -9.0.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -9.0.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. -9.0.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -9.0.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -9.0.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source. -9.0.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source. -9.0.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. -9.0.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip -9.0.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port -9.0.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -9.0.0-dev+exp,true,source,source.port,long,core,,,Port of the source. -9.0.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -9.0.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. -9.0.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address. -9.0.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -9.0.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -9.0.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -9.0.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. -9.0.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value -9.0.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field -9.0.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier -9.0.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index -9.0.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match -9.0.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match -9.0.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID. -9.0.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed. -9.0.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed. -9.0.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed. -9.0.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -9.0.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. -9.0.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. -9.0.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. -9.0.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. -9.0.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -9.0.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. -9.0.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -9.0.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating -9.0.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description -9.0.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address -9.0.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. -9.0.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -9.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -9.0.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time. -9.0.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. -9.0.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. -9.0.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. -9.0.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -9.0.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -9.0.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -9.0.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. -9.0.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -9.0.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. -9.0.0-dev+exp,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -9.0.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash. -9.0.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. -9.0.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. -9.0.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. -9.0.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. -9.0.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -9.0.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. -9.0.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -9.0.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -9.0.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. -9.0.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. -9.0.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -9.0.0-dev+exp,true,threat,threat.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. -9.0.0-dev+exp,true,threat,threat.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. -9.0.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. -9.0.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -9.0.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. -9.0.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks. -9.0.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. -9.0.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -9.0.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -9.0.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. -9.0.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. -9.0.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev+exp,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator -9.0.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address -9.0.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. -9.0.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking -9.0.0-dev+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version -9.0.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. -9.0.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name -9.0.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port -9.0.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider -9.0.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL -9.0.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -9.0.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -9.0.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -9.0.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -9.0.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -9.0.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -9.0.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. -9.0.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics -9.0.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed -9.0.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator -9.0.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. -9.0.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -9.0.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. -9.0.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -9.0.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -9.0.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -9.0.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -9.0.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request. -9.0.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -9.0.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443." -9.0.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request. -9.0.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -9.0.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url. -9.0.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. -9.0.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request. -9.0.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -9.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -9.0.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -9.0.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -9.0.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -9.0.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -9.0.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -9.0.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -9.0.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code -9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -9.0.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. -9.0.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software -9.0.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software -9.0.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. -9.0.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. -9.0.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL. -9.0.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type. -9.0.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. -9.0.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. -9.0.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. -9.0.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. -9.0.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. -9.0.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name. -9.0.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. -9.0.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. -9.0.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. -9.0.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name. -9.0.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. -9.0.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -9.0.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -9.0.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. -9.0.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. -9.0.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. -9.0.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -9.0.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -9.0.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -9.0.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -9.0.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -9.0.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -9.0.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -9.0.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. -9.0.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -9.0.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -9.0.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -9.0.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -9.0.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -9.0.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -9.0.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -9.0.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -9.0.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -9.0.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -9.0.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -9.0.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -9.0.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -9.0.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -9.0.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -9.0.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -9.0.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code -9.0.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -9.0.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -9.0.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -9.0.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -9.0.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. -9.0.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." -9.0.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -9.0.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. -9.0.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -9.0.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -9.0.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. -9.0.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. -9.0.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. -9.0.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -9.0.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -9.0.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -9.0.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -9.0.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -9.0.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. -9.0.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -9.0.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -9.0.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -9.0.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -9.0.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -9.0.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -9.0.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -9.0.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -9.0.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -9.0.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -9.0.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -9.0.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -9.0.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -9.0.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -9.0.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -9.0.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -9.0.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code -9.0.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -9.0.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -9.0.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -9.0.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -9.0.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. -9.0.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. -9.0.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. -9.0.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -9.0.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -9.0.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. -9.0.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -9.0.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -9.0.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -9.0.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -9.0.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -9.0.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -9.0.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request. -9.0.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -9.0.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -9.0.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request. -9.0.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -9.0.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -9.0.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. -9.0.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request. -9.0.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address. -9.0.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address. -9.0.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev+exp,true,user,user.email,keyword,extended,,,User email address. -9.0.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. -9.0.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. -9.0.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. -9.0.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." -9.0.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." -9.0.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -9.0.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address. -9.0.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group. -9.0.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -9.0.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -9.0.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -9.0.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -9.0.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -9.0.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.0.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.0.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -9.0.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -9.0.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." -9.0.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -9.0.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." -9.0.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -9.0.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. -9.0.0-dev+exp,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device. -9.0.0-dev+exp,true,volume,volume.default_access,keyword,extended,,,Bus type of the device. -9.0.0-dev+exp,true,volume,volume.device_name,keyword,extended,,,Device name of the volume. -9.0.0-dev+exp,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type. -9.0.0-dev+exp,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device. -9.0.0-dev+exp,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type. -9.0.0-dev+exp,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume. -9.0.0-dev+exp,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device. -9.0.0-dev+exp,true,volume,volume.product_id,keyword,extended,,,ProductID of the device. -9.0.0-dev+exp,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume. -9.0.0-dev+exp,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable. -9.0.0-dev+exp,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device. -9.0.0-dev+exp,true,volume,volume.size,long,extended,,,Size of the volume device in bytes. -9.0.0-dev+exp,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device. -9.0.0-dev+exp,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device. -9.0.0-dev+exp,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable. -9.0.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. -9.0.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. -9.0.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -9.0.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -9.0.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. -9.0.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. -9.0.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -9.0.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. -9.0.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. -9.0.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. -9.0.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. -9.0.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. -9.0.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. -9.0.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +9.1.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +9.1.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +9.1.0-dev+exp,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer. +9.1.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +9.1.0-dev+exp,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +9.1.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +9.1.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +9.1.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +9.1.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +9.1.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +9.1.0-dev+exp,true,cgroup,cgroup.cpu.periods,long,extended,,454839343,Number of period intervals that have elapsed. +9.1.0-dev+exp,true,cgroup,cgroup.cpu.throttled.us,long,extended,,15000,Microseconds of CPU throttled time. +9.1.0-dev+exp,true,cgroup,cgroup.cpu.usage,scaled_float,extended,,,"CPU usage, normalized by the CPU count." +9.1.0-dev+exp,true,cgroup,cgroup.memory.limit,long,extended,,256,Memory limit within the cgroup. +9.1.0-dev+exp,true,cgroup,cgroup.memory.swap.usage,long,extended,,5600,The amount of cgroup memory in swap. +9.1.0-dev+exp,true,cgroup,cgroup.memory.usage,long,extended,,25600,Memory usage in bytes +9.1.0-dev+exp,true,cgroup,cgroup.version,long,extended,,,The cgroup version linked to the metrics +9.1.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address. +9.1.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.1.0-dev+exp,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.1.0-dev+exp,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.1.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +9.1.0-dev+exp,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client. +9.1.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev+exp,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client. +9.1.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. +9.1.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +9.1.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port +9.1.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +9.1.0-dev+exp,true,client,client.port,long,core,,,Port of the client. +9.1.0-dev+exp,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +9.1.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +9.1.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev+exp,true,client,client.user.email,keyword,extended,,,User email address. +9.1.0-dev+exp,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev+exp,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +9.1.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +9.1.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." +9.1.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +9.1.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +9.1.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +9.1.0-dev+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id. +9.1.0-dev+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name. +9.1.0-dev+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." +9.1.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +9.1.0-dev+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine. +9.1.0-dev+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +9.1.0-dev+exp,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id. +9.1.0-dev+exp,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name. +9.1.0-dev+exp,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider. +9.1.0-dev+exp,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." +9.1.0-dev+exp,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name. +9.1.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +9.1.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +9.1.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +9.1.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." +9.1.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name. +9.1.0-dev+exp,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id. +9.1.0-dev+exp,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name. +9.1.0-dev+exp,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." +9.1.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +9.1.0-dev+exp,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine. +9.1.0-dev+exp,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +9.1.0-dev+exp,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id. +9.1.0-dev+exp,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name. +9.1.0-dev+exp,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider. +9.1.0-dev+exp,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." +9.1.0-dev+exp,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name. +9.1.0-dev+exp,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +9.1.0-dev+exp,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +9.1.0-dev+exp,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +9.1.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id. +9.1.0-dev+exp,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on. +9.1.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +9.1.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags. +9.1.0-dev+exp,true,container,container.labels,object,extended,,,Image labels. +9.1.0-dev+exp,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1." +9.1.0-dev+exp,true,container,container.name,keyword,extended,,,Container name. +9.1.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +9.1.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +9.1.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +9.1.0-dev+exp,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode. +9.1.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data. +9.1.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data. +9.1.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream. +9.1.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address. +9.1.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.1.0-dev+exp,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.1.0-dev+exp,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.1.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +9.1.0-dev+exp,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination. +9.1.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev+exp,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination. +9.1.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. +9.1.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +9.1.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +9.1.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +9.1.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination. +9.1.0-dev+exp,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +9.1.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +9.1.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev+exp,true,destination,destination.user.email,keyword,extended,,,User email address. +9.1.0-dev+exp,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev+exp,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device. +9.1.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer. +9.1.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model. +9.1.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model. +9.1.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device +9.1.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.1.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.1.0-dev+exp,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.1.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.1.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.1.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.1.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.1.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.1.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.1.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.1.0-dev+exp,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.1.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +9.1.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +9.1.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +9.1.0-dev+exp,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash. +9.1.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +9.1.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.1.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash. +9.1.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +9.1.0-dev+exp,true,dll,dll.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the dll file. +9.1.0-dev+exp,true,dll,dll.origin_url,keyword,extended,,http://example.com/files/example.dll,The URL where the dll file is hosted. +9.1.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +9.1.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.1.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.1.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.1.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.1.0-dev+exp,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.1.0-dev+exp,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev+exp,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.1.0-dev+exp,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.1.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev+exp,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.1.0-dev+exp,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.1.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.1.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file. +9.1.0-dev+exp,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name. +9.1.0-dev+exp,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.1.0-dev+exp,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev+exp,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers. +9.1.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +9.1.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. +9.1.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +9.1.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +9.1.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +9.1.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +9.1.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +9.1.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +9.1.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +9.1.0-dev+exp,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. +9.1.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +9.1.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +9.1.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +9.1.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +9.1.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +9.1.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +9.1.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +9.1.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments. +9.1.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension. +9.1.0-dev+exp,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.1.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash. +9.1.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash. +9.1.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash. +9.1.0-dev+exp,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash. +9.1.0-dev+exp,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash. +9.1.0-dev+exp,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.1.0-dev+exp,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash. +9.1.0-dev+exp,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file. +9.1.0-dev+exp,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file. +9.1.0-dev+exp,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size. +9.1.0-dev+exp,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient +9.1.0-dev+exp,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient +9.1.0-dev+exp,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message. +9.1.0-dev+exp,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered. +9.1.0-dev+exp,true,email,email.direction,keyword,extended,,inbound,Direction of the message. +9.1.0-dev+exp,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address. +9.1.0-dev+exp,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source. +9.1.0-dev+exp,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header. +9.1.0-dev+exp,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed. +9.1.0-dev+exp,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to. +9.1.0-dev+exp,true,email,email.sender.address,keyword,extended,,,Address of the message sender. +9.1.0-dev+exp,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message. +9.1.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message. +9.1.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient +9.1.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email. +9.1.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error. +9.1.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error. +9.1.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message. +9.1.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +9.1.0-dev+exp,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text. +9.1.0-dev+exp,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +9.1.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +9.1.0-dev+exp,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. +9.1.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +9.1.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event. +9.1.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +9.1.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +9.1.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +9.1.0-dev+exp,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed. +9.1.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +9.1.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +9.1.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +9.1.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +9.1.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +9.1.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +9.1.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +9.1.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event. +9.1.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +9.1.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +9.1.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +9.1.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +9.1.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event. +9.1.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event. +9.1.0-dev+exp,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed. +9.1.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone. +9.1.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +9.1.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +9.1.0-dev+exp,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function. +9.1.0-dev+exp,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution. +9.1.0-dev+exp,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function. +9.1.0-dev+exp,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function. +9.1.0-dev+exp,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc." +9.1.0-dev+exp,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution. +9.1.0-dev+exp,true,faas,faas.version,keyword,extended,,123,The version of a serverless function. +9.1.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed. +9.1.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +9.1.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.1.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.1.0-dev+exp,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.1.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.1.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.1.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.1.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.1.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.1.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.1.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.1.0-dev+exp,true,file,file.created,date,extended,,,File creation time. +9.1.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +9.1.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +9.1.0-dev+exp,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. +9.1.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +9.1.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.1.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.1.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.1.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date. +9.1.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types. +9.1.0-dev+exp,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.1.0-dev+exp,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev+exp,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.1.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.1.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.1.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.1.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.1.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.1.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.1.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header. +9.1.0-dev+exp,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.1.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev+exp,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file. +9.1.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.1.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.1.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name. +9.1.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.1.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.1.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type. +9.1.0-dev+exp,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.1.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.1.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list. +9.1.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.1.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type. +9.1.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.1.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.1.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +9.1.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. +9.1.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +9.1.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +9.1.0-dev+exp,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.1.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +9.1.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +9.1.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +9.1.0-dev+exp,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash. +9.1.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +9.1.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.1.0-dev+exp,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash. +9.1.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +9.1.0-dev+exp,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. +9.1.0-dev+exp,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev+exp,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev+exp,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. +9.1.0-dev+exp,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev+exp,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file. +9.1.0-dev+exp,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev+exp,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name. +9.1.0-dev+exp,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. +9.1.0-dev+exp,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev+exp,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev+exp,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. +9.1.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +9.1.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +9.1.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified. +9.1.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.1.0-dev+exp,true,file,file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. +9.1.0-dev+exp,true,file,file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. +9.1.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username. +9.1.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.1.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.1.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.1.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.1.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.1.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.1.0-dev+exp,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.1.0-dev+exp,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev+exp,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.1.0-dev+exp,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.1.0-dev+exp,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev+exp,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.1.0-dev+exp,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.1.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.1.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file. +9.1.0-dev+exp,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name. +9.1.0-dev+exp,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.1.0-dev+exp,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev+exp,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes. +9.1.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks. +9.1.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks. +9.1.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +9.1.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +9.1.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.1.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.1.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.1.0-dev+exp,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.1.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.1.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.1.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.1.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.1.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.1.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.1.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.1.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.1.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.1.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.1.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.1.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.1.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.1.0-dev+exp,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.1.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.1.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.1.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.1.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +9.1.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +9.1.0-dev+exp,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id +9.1.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +9.1.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +9.1.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +9.1.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +9.1.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev+exp,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev+exp,true,host,host.hostname,keyword,core,,,Hostname of the host. +9.1.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id. +9.1.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses. +9.1.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. +9.1.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host. +9.1.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +9.1.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +9.1.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +9.1.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. +9.1.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.1.0-dev+exp,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.1.0-dev+exp,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.1.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.1.0-dev+exp,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.1.0-dev+exp,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.1.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.1.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.1.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.1.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode +9.1.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.1.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.1.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.1.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.1.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.1.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.1.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. +9.1.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +9.1.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +9.1.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. +9.1.0-dev+exp,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body. +9.1.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +9.1.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. +9.1.0-dev+exp,true,http,http.request.method,keyword,extended,,POST,HTTP request method. +9.1.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +9.1.0-dev+exp,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. +9.1.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +9.1.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. +9.1.0-dev+exp,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body. +9.1.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +9.1.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +9.1.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +9.1.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version. +9.1.0-dev+exp,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +9.1.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event. +9.1.0-dev+exp,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +9.1.0-dev+exp,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event. +9.1.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +9.1.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +9.1.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata +9.1.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message. +9.1.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +9.1.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +9.1.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message. +9.1.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message. +9.1.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +9.1.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message. +9.1.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +9.1.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +9.1.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages. +9.1.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version. +9.1.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name. +9.1.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +9.1.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +9.1.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +9.1.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +9.1.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +9.1.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information +9.1.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.1.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.1.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +9.1.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +9.1.0-dev+exp,true,network,network.protocol,keyword,core,,http,Application protocol name. +9.1.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +9.1.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +9.1.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.1.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.1.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information +9.1.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +9.1.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +9.1.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +9.1.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.1.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.1.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +9.1.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev+exp,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +9.1.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information +9.1.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +9.1.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +9.1.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +9.1.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.1.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.1.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +9.1.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +9.1.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer. +9.1.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +9.1.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.1.0-dev+exp,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.1.0-dev+exp,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.1.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.1.0-dev+exp,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.1.0-dev+exp,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.1.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.1.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.1.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.1.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +9.1.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +9.1.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +9.1.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +9.1.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version. +9.1.0-dev+exp,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action +9.1.0-dev+exp,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster. +9.1.0-dev+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster. +9.1.0-dev+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster. +9.1.0-dev+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster. +9.1.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place. +9.1.0-dev+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups). +9.1.0-dev+exp,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource. +9.1.0-dev+exp,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon. +9.1.0-dev+exp,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed. +9.1.0-dev+exp,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource. +9.1.0-dev+exp,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon. +9.1.0-dev+exp,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed. +9.1.0-dev+exp,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon. +9.1.0-dev+exp,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)." +9.1.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +9.1.0-dev+exp,true,organization,organization.name,keyword,extended,,,Organization name. +9.1.0-dev+exp,true,organization,organization.name.text,match_only_text,extended,,,Organization name. +9.1.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +9.1.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +9.1.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +9.1.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +9.1.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +9.1.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed. +9.1.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +9.1.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name +9.1.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +9.1.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +9.1.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes. +9.1.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type +9.1.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version +9.1.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.1.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. +9.1.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.1.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.1.0-dev+exp,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.1.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.1.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.1.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.1.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.1.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.1.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.1.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.1.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev+exp,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.1.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.1.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.1.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date. +9.1.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types. +9.1.0-dev+exp,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.1.0-dev+exp,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev+exp,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.1.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.1.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.1.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.1.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.1.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.1.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.1.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header. +9.1.0-dev+exp,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.1.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev+exp,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file. +9.1.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.1.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.1.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name. +9.1.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.1.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.1.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type. +9.1.0-dev+exp,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.1.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.1.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list. +9.1.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.1.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type. +9.1.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.1.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.1.0-dev+exp,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. +9.1.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev+exp,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.1.0-dev+exp,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array. +9.1.0-dev+exp,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev+exp,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev+exp,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source. +9.1.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader. +9.1.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.1.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name. +9.1.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name. +9.1.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id. +9.1.0-dev+exp,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev+exp,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id. +9.1.0-dev+exp,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev+exp,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. +9.1.0-dev+exp,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev+exp,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id. +9.1.0-dev+exp,true,process,process.entry_leader.pid,long,core,,4242,Process id. +9.1.0-dev+exp,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. +9.1.0-dev+exp,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device. +9.1.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.1.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.1.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id. +9.1.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.1.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.1.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings. +9.1.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process. +9.1.0-dev+exp,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.1.0-dev+exp,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array. +9.1.0-dev+exp,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.1.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name. +9.1.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name. +9.1.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id. +9.1.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. +9.1.0-dev+exp,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device. +9.1.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.1.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.1.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id. +9.1.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.1.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.1.0-dev+exp,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.1.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +9.1.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +9.1.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +9.1.0-dev+exp,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash. +9.1.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +9.1.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.1.0-dev+exp,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash. +9.1.0-dev+exp,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.1.0-dev+exp,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process. +9.1.0-dev+exp,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped. +9.1.0-dev+exp,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped. +9.1.0-dev+exp,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped. +9.1.0-dev+exp,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting." +9.1.0-dev+exp,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8. +9.1.0-dev+exp,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event. +9.1.0-dev+exp,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. +9.1.0-dev+exp,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken. +9.1.0-dev+exp,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. +9.1.0-dev+exp,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev+exp,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev+exp,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. +9.1.0-dev+exp,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev+exp,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file. +9.1.0-dev+exp,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev+exp,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name. +9.1.0-dev+exp,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. +9.1.0-dev+exp,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. +9.1.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name. +9.1.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name. +9.1.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.1.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +9.1.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.1.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.1.0-dev+exp,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.1.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.1.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.1.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.1.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.1.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.1.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.1.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.1.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev+exp,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.1.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.1.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.1.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date. +9.1.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types. +9.1.0-dev+exp,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.1.0-dev+exp,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev+exp,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.1.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.1.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.1.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.1.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.1.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.1.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.1.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header. +9.1.0-dev+exp,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.1.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev+exp,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file. +9.1.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.1.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.1.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name. +9.1.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.1.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.1.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type. +9.1.0-dev+exp,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.1.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.1.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list. +9.1.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.1.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type. +9.1.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.1.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.1.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. +9.1.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +9.1.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.parent.group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id. +9.1.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id. +9.1.0-dev+exp,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.1.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +9.1.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +9.1.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +9.1.0-dev+exp,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash. +9.1.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +9.1.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.1.0-dev+exp,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash. +9.1.0-dev+exp,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.1.0-dev+exp,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. +9.1.0-dev+exp,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev+exp,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev+exp,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. +9.1.0-dev+exp,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev+exp,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file. +9.1.0-dev+exp,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev+exp,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name. +9.1.0-dev+exp,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. +9.1.0-dev+exp,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. +9.1.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name. +9.1.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name. +9.1.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.1.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.1.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.1.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.1.0-dev+exp,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.1.0-dev+exp,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev+exp,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.1.0-dev+exp,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.1.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev+exp,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.1.0-dev+exp,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.1.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.1.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file. +9.1.0-dev+exp,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name. +9.1.0-dev+exp,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.1.0-dev+exp,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev+exp,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. +9.1.0-dev+exp,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. +9.1.0-dev+exp,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. +9.1.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +9.1.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. +9.1.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title. +9.1.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title. +9.1.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device. +9.1.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.1.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.1.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +9.1.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.parent.vpid,long,core,,4242,Virtual process id. +9.1.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.1.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.1.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.1.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.1.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.1.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.1.0-dev+exp,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.1.0-dev+exp,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev+exp,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.1.0-dev+exp,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.1.0-dev+exp,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev+exp,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.1.0-dev+exp,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.1.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.1.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file. +9.1.0-dev+exp,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name. +9.1.0-dev+exp,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.1.0-dev+exp,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev+exp,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. +9.1.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.1.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array. +9.1.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.saved_group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.1.0-dev+exp,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array. +9.1.0-dev+exp,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.1.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name. +9.1.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name. +9.1.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id. +9.1.0-dev+exp,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev+exp,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id. +9.1.0-dev+exp,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev+exp,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. +9.1.0-dev+exp,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev+exp,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id. +9.1.0-dev+exp,true,process,process.session_leader.pid,long,core,,4242,Process id. +9.1.0-dev+exp,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. +9.1.0-dev+exp,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device. +9.1.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.1.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.1.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id. +9.1.0-dev+exp,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.1.0-dev+exp,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.1.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. +9.1.0-dev+exp,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. +9.1.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID. +9.1.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. +9.1.0-dev+exp,true,process,process.title,keyword,extended,,,Process title. +9.1.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title. +9.1.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device. +9.1.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.1.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.1.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width +9.1.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height +9.1.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +9.1.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,process,process.vpid,long,core,,4242,Virtual process id. +9.1.0-dev+exp,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.1.0-dev+exp,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.1.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +9.1.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +9.1.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +9.1.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +9.1.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +9.1.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +9.1.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +9.1.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +9.1.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +9.1.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +9.1.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event. +9.1.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +9.1.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +9.1.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +9.1.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID +9.1.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +9.1.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +9.1.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +9.1.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +9.1.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +9.1.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version +9.1.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address. +9.1.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.1.0-dev+exp,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.1.0-dev+exp,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.1.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +9.1.0-dev+exp,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server. +9.1.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev+exp,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server. +9.1.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. +9.1.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip +9.1.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port +9.1.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +9.1.0-dev+exp,true,server,server.port,long,core,,,Port of the server. +9.1.0-dev+exp,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +9.1.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +9.1.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev+exp,true,server,server.user.email,keyword,extended,,,User email address. +9.1.0-dev+exp,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev+exp,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service. +9.1.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service. +9.1.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +9.1.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +9.1.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +9.1.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +9.1.0-dev+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. +9.1.0-dev+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. +9.1.0-dev+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service. +9.1.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service. +9.1.0-dev+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +9.1.0-dev+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +9.1.0-dev+exp,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service. +9.1.0-dev+exp,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node. +9.1.0-dev+exp,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. +9.1.0-dev+exp,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. +9.1.0-dev+exp,true,service,service.origin.state,keyword,core,,,Current state of the service. +9.1.0-dev+exp,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service. +9.1.0-dev+exp,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service. +9.1.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service. +9.1.0-dev+exp,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service. +9.1.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service. +9.1.0-dev+exp,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +9.1.0-dev+exp,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +9.1.0-dev+exp,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service. +9.1.0-dev+exp,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node. +9.1.0-dev+exp,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. +9.1.0-dev+exp,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. +9.1.0-dev+exp,true,service,service.target.state,keyword,core,,,Current state of the service. +9.1.0-dev+exp,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service. +9.1.0-dev+exp,true,service,service.target.version,keyword,core,,3.2.4,Version of the service. +9.1.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +9.1.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service. +9.1.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address. +9.1.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.1.0-dev+exp,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.1.0-dev+exp,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.1.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +9.1.0-dev+exp,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source. +9.1.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev+exp,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source. +9.1.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. +9.1.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip +9.1.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port +9.1.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +9.1.0-dev+exp,true,source,source.port,long,core,,,Port of the source. +9.1.0-dev+exp,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +9.1.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +9.1.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev+exp,true,source,source.user.email,keyword,extended,,,User email address. +9.1.0-dev+exp,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev+exp,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +9.1.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.1.0-dev+exp,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.1.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. +9.1.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value +9.1.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field +9.1.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier +9.1.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index +9.1.0-dev+exp,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match +9.1.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match +9.1.0-dev+exp,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID. +9.1.0-dev+exp,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed. +9.1.0-dev+exp,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed. +9.1.0-dev+exp,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed. +9.1.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +9.1.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. +9.1.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. +9.1.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. +9.1.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. +9.1.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.1.0-dev+exp,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.1.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.1.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating +9.1.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +9.1.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +9.1.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. +9.1.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.1.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time. +9.1.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +9.1.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +9.1.0-dev+exp,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. +9.1.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.1.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.1.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +9.1.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. +9.1.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +9.1.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +9.1.0-dev+exp,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.1.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash. +9.1.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. +9.1.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. +9.1.0-dev+exp,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. +9.1.0-dev+exp,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. +9.1.0-dev+exp,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.1.0-dev+exp,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. +9.1.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +9.1.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +9.1.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +9.1.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. +9.1.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.1.0-dev+exp,true,threat,threat.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. +9.1.0-dev+exp,true,threat,threat.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. +9.1.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. +9.1.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.1.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. +9.1.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks. +9.1.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. +9.1.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +9.1.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.1.0-dev+exp,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev+exp,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. +9.1.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +9.1.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev+exp,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev+exp,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator +9.1.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +9.1.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +9.1.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking +9.1.0-dev+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version +9.1.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +9.1.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name +9.1.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port +9.1.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +9.1.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +9.1.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +9.1.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +9.1.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +9.1.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +9.1.0-dev+exp,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +9.1.0-dev+exp,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +9.1.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. +9.1.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics +9.1.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed +9.1.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +9.1.0-dev+exp,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. +9.1.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +9.1.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +9.1.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.1.0-dev+exp,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.1.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.1.0-dev+exp,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.1.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request. +9.1.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +9.1.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +9.1.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request. +9.1.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +9.1.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +9.1.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +9.1.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request. +9.1.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.1.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.1.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.1.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.1.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.1.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.1.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.1.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.1.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.1.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.1.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.1.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.1.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.1.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.1.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.1.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.1.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.1.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.1.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. +9.1.0-dev+exp,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software +9.1.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software +9.1.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. +9.1.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. +9.1.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL. +9.1.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type. +9.1.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +9.1.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +9.1.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +9.1.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +9.1.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +9.1.0-dev+exp,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name. +9.1.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +9.1.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +9.1.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +9.1.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name. +9.1.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +9.1.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +9.1.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +9.1.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +9.1.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +9.1.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +9.1.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +9.1.0-dev+exp,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +9.1.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +9.1.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +9.1.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +9.1.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +9.1.0-dev+exp,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +9.1.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +9.1.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.1.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.1.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.1.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.1.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.1.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.1.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.1.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.1.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.1.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.1.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.1.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.1.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.1.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.1.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.1.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.1.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.1.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.1.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.1.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.1.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.1.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +9.1.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +9.1.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +9.1.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +9.1.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +9.1.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +9.1.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +9.1.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +9.1.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +9.1.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +9.1.0-dev+exp,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +9.1.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +9.1.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +9.1.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +9.1.0-dev+exp,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +9.1.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.1.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.1.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.1.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.1.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.1.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.1.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.1.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.1.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.1.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.1.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.1.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.1.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.1.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.1.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.1.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.1.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.1.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.1.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.1.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.1.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.1.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +9.1.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +9.1.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +9.1.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +9.1.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +9.1.0-dev+exp,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. +9.1.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +9.1.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +9.1.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.1.0-dev+exp,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.1.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.1.0-dev+exp,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.1.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request. +9.1.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +9.1.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +9.1.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request. +9.1.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +9.1.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +9.1.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +9.1.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request. +9.1.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev+exp,true,user,user.changes.email,keyword,extended,,,User email address. +9.1.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev+exp,true,user,user.effective.email,keyword,extended,,,User email address. +9.1.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev+exp,true,user,user.email,keyword,extended,,,User email address. +9.1.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev+exp,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.1.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.1.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.1.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.1.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.1.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.1.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address. +9.1.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group. +9.1.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +9.1.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +9.1.0-dev+exp,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +9.1.0-dev+exp,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +9.1.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.1.0-dev+exp,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.1.0-dev+exp,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.1.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.1.0-dev+exp,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.1.0-dev+exp,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.1.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.1.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.1.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.1.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +9.1.0-dev+exp,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device. +9.1.0-dev+exp,true,volume,volume.default_access,keyword,extended,,,Bus type of the device. +9.1.0-dev+exp,true,volume,volume.device_name,keyword,extended,,,Device name of the volume. +9.1.0-dev+exp,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type. +9.1.0-dev+exp,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device. +9.1.0-dev+exp,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type. +9.1.0-dev+exp,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume. +9.1.0-dev+exp,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device. +9.1.0-dev+exp,true,volume,volume.product_id,keyword,extended,,,ProductID of the device. +9.1.0-dev+exp,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume. +9.1.0-dev+exp,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable. +9.1.0-dev+exp,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device. +9.1.0-dev+exp,true,volume,volume.size,long,extended,,,Size of the volume device in bytes. +9.1.0-dev+exp,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device. +9.1.0-dev+exp,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device. +9.1.0-dev+exp,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable. +9.1.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +9.1.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +9.1.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +9.1.0-dev+exp,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +9.1.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +9.1.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +9.1.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +9.1.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +9.1.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +9.1.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +9.1.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +9.1.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +9.1.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +9.1.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/experimental/generated/elasticsearch/composable/component/agent.json b/experimental/generated/elasticsearch/composable/component/agent.json index e1b68bc031..77fca71736 100644 --- a/experimental/generated/elasticsearch/composable/component/agent.json +++ b/experimental/generated/elasticsearch/composable/component/agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/base.json b/experimental/generated/elasticsearch/composable/component/base.json index f02fa11fbd..a12faa855e 100644 --- a/experimental/generated/elasticsearch/composable/component/base.json +++ b/experimental/generated/elasticsearch/composable/component/base.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/cgroup.json b/experimental/generated/elasticsearch/composable/component/cgroup.json index 092d3a33e7..b93606d0c1 100644 --- a/experimental/generated/elasticsearch/composable/component/cgroup.json +++ b/experimental/generated/elasticsearch/composable/component/cgroup.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cgroup.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/client.json b/experimental/generated/elasticsearch/composable/component/client.json index 1b6516040e..a5b6e8cdc8 100644 --- a/experimental/generated/elasticsearch/composable/component/client.json +++ b/experimental/generated/elasticsearch/composable/component/client.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json index 28e968adb8..eead618f95 100644 --- a/experimental/generated/elasticsearch/composable/component/cloud.json +++ b/experimental/generated/elasticsearch/composable/component/cloud.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/container.json b/experimental/generated/elasticsearch/composable/component/container.json index 374e71704d..f9a4408f7f 100644 --- a/experimental/generated/elasticsearch/composable/component/container.json +++ b/experimental/generated/elasticsearch/composable/component/container.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/data_stream.json b/experimental/generated/elasticsearch/composable/component/data_stream.json index 9cc522bd77..8acd091843 100644 --- a/experimental/generated/elasticsearch/composable/component/data_stream.json +++ b/experimental/generated/elasticsearch/composable/component/data_stream.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/destination.json b/experimental/generated/elasticsearch/composable/component/destination.json index e88428e145..ab7d771c80 100644 --- a/experimental/generated/elasticsearch/composable/component/destination.json +++ b/experimental/generated/elasticsearch/composable/component/destination.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/device.json b/experimental/generated/elasticsearch/composable/component/device.json index 711b131438..4cb124c744 100644 --- a/experimental/generated/elasticsearch/composable/component/device.json +++ b/experimental/generated/elasticsearch/composable/component/device.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json index e29845afad..5b7d75821d 100644 --- a/experimental/generated/elasticsearch/composable/component/dll.json +++ b/experimental/generated/elasticsearch/composable/component/dll.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/dns.json b/experimental/generated/elasticsearch/composable/component/dns.json index d054e5b22b..bbde28f42f 100644 --- a/experimental/generated/elasticsearch/composable/component/dns.json +++ b/experimental/generated/elasticsearch/composable/component/dns.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/ecs.json b/experimental/generated/elasticsearch/composable/component/ecs.json index fb53443d7f..4d7a1d1652 100644 --- a/experimental/generated/elasticsearch/composable/component/ecs.json +++ b/experimental/generated/elasticsearch/composable/component/ecs.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/email.json b/experimental/generated/elasticsearch/composable/component/email.json index 4005627532..81acecebb8 100644 --- a/experimental/generated/elasticsearch/composable/component/email.json +++ b/experimental/generated/elasticsearch/composable/component/email.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/error.json b/experimental/generated/elasticsearch/composable/component/error.json index 1ffda6da4d..4b02a2aa54 100644 --- a/experimental/generated/elasticsearch/composable/component/error.json +++ b/experimental/generated/elasticsearch/composable/component/error.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/event.json b/experimental/generated/elasticsearch/composable/component/event.json index fe89995f5c..3c66902360 100644 --- a/experimental/generated/elasticsearch/composable/component/event.json +++ b/experimental/generated/elasticsearch/composable/component/event.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/faas.json b/experimental/generated/elasticsearch/composable/component/faas.json index 37adc56cea..e4a75a4058 100644 --- a/experimental/generated/elasticsearch/composable/component/faas.json +++ b/experimental/generated/elasticsearch/composable/component/faas.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json index 4f458e0248..cbf0bb52a9 100644 --- a/experimental/generated/elasticsearch/composable/component/file.json +++ b/experimental/generated/elasticsearch/composable/component/file.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/group.json b/experimental/generated/elasticsearch/composable/component/group.json index 2d1d44be2a..9ac8b89759 100644 --- a/experimental/generated/elasticsearch/composable/component/group.json +++ b/experimental/generated/elasticsearch/composable/component/group.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json index 05b2541767..30243078c7 100644 --- a/experimental/generated/elasticsearch/composable/component/host.json +++ b/experimental/generated/elasticsearch/composable/component/host.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/http.json b/experimental/generated/elasticsearch/composable/component/http.json index 4d156eab39..9047794cc9 100644 --- a/experimental/generated/elasticsearch/composable/component/http.json +++ b/experimental/generated/elasticsearch/composable/component/http.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/log.json b/experimental/generated/elasticsearch/composable/component/log.json index dfac9cfa24..aa35298a38 100644 --- a/experimental/generated/elasticsearch/composable/component/log.json +++ b/experimental/generated/elasticsearch/composable/component/log.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/network.json b/experimental/generated/elasticsearch/composable/component/network.json index cb42c402ce..c0654db295 100644 --- a/experimental/generated/elasticsearch/composable/component/network.json +++ b/experimental/generated/elasticsearch/composable/component/network.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/observer.json b/experimental/generated/elasticsearch/composable/component/observer.json index 3fe7534fb2..dacba4185a 100644 --- a/experimental/generated/elasticsearch/composable/component/observer.json +++ b/experimental/generated/elasticsearch/composable/component/observer.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/orchestrator.json b/experimental/generated/elasticsearch/composable/component/orchestrator.json index ef52bc9241..72e633bc65 100644 --- a/experimental/generated/elasticsearch/composable/component/orchestrator.json +++ b/experimental/generated/elasticsearch/composable/component/orchestrator.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/organization.json b/experimental/generated/elasticsearch/composable/component/organization.json index d4bd623bbb..66096419da 100644 --- a/experimental/generated/elasticsearch/composable/component/organization.json +++ b/experimental/generated/elasticsearch/composable/component/organization.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/package.json b/experimental/generated/elasticsearch/composable/component/package.json index 2f8407105b..df1970a5a6 100644 --- a/experimental/generated/elasticsearch/composable/component/package.json +++ b/experimental/generated/elasticsearch/composable/component/package.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json index 0661c41320..ddfee89086 100644 --- a/experimental/generated/elasticsearch/composable/component/process.json +++ b/experimental/generated/elasticsearch/composable/component/process.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/registry.json b/experimental/generated/elasticsearch/composable/component/registry.json index 84a720c5c9..6693345803 100644 --- a/experimental/generated/elasticsearch/composable/component/registry.json +++ b/experimental/generated/elasticsearch/composable/component/registry.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/related.json b/experimental/generated/elasticsearch/composable/component/related.json index 21042d189a..a7aaab26f9 100644 --- a/experimental/generated/elasticsearch/composable/component/related.json +++ b/experimental/generated/elasticsearch/composable/component/related.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/rule.json b/experimental/generated/elasticsearch/composable/component/rule.json index ce9b53da28..9c463d822b 100644 --- a/experimental/generated/elasticsearch/composable/component/rule.json +++ b/experimental/generated/elasticsearch/composable/component/rule.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/server.json b/experimental/generated/elasticsearch/composable/component/server.json index 9a7a030ea7..0fdb41ff6a 100644 --- a/experimental/generated/elasticsearch/composable/component/server.json +++ b/experimental/generated/elasticsearch/composable/component/server.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json index b75e677058..db9871fb45 100644 --- a/experimental/generated/elasticsearch/composable/component/service.json +++ b/experimental/generated/elasticsearch/composable/component/service.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/source.json b/experimental/generated/elasticsearch/composable/component/source.json index 01be70ad42..e50c123067 100644 --- a/experimental/generated/elasticsearch/composable/component/source.json +++ b/experimental/generated/elasticsearch/composable/component/source.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json index 02559871a7..1ce3bab9bc 100644 --- a/experimental/generated/elasticsearch/composable/component/threat.json +++ b/experimental/generated/elasticsearch/composable/component/threat.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/tls.json b/experimental/generated/elasticsearch/composable/component/tls.json index 4630b45bba..62b74db313 100644 --- a/experimental/generated/elasticsearch/composable/component/tls.json +++ b/experimental/generated/elasticsearch/composable/component/tls.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/tracing.json b/experimental/generated/elasticsearch/composable/component/tracing.json index 95814055f4..6abb79d281 100644 --- a/experimental/generated/elasticsearch/composable/component/tracing.json +++ b/experimental/generated/elasticsearch/composable/component/tracing.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/url.json b/experimental/generated/elasticsearch/composable/component/url.json index 0d35e6aad1..24ac58c0ab 100644 --- a/experimental/generated/elasticsearch/composable/component/url.json +++ b/experimental/generated/elasticsearch/composable/component/url.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json index b7fc17a8f1..b84468413c 100644 --- a/experimental/generated/elasticsearch/composable/component/user.json +++ b/experimental/generated/elasticsearch/composable/component/user.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/user_agent.json b/experimental/generated/elasticsearch/composable/component/user_agent.json index 165d8bfd6e..f655a59aca 100644 --- a/experimental/generated/elasticsearch/composable/component/user_agent.json +++ b/experimental/generated/elasticsearch/composable/component/user_agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/volume.json b/experimental/generated/elasticsearch/composable/component/volume.json index e3802fa838..7815f015e6 100644 --- a/experimental/generated/elasticsearch/composable/component/volume.json +++ b/experimental/generated/elasticsearch/composable/component/volume.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-volume.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/component/vulnerability.json b/experimental/generated/elasticsearch/composable/component/vulnerability.json index 2636cecade..e163c5ff16 100644 --- a/experimental/generated/elasticsearch/composable/component/vulnerability.json +++ b/experimental/generated/elasticsearch/composable/component/vulnerability.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json index 079b07510c..ab32da8b1b 100644 --- a/experimental/generated/elasticsearch/composable/template.json +++ b/experimental/generated/elasticsearch/composable/template.json @@ -1,50 +1,50 @@ { "_meta": { "description": "Sample composable template that includes all ECS fields", - "ecs_version": "9.0.0-dev+exp" + "ecs_version": "9.1.0-dev+exp" }, "composed_of": [ - "ecs_9.0.0-dev-exp_cgroup", - "ecs_9.0.0-dev-exp_base", - "ecs_9.0.0-dev-exp_agent", - "ecs_9.0.0-dev-exp_client", - "ecs_9.0.0-dev-exp_cloud", - "ecs_9.0.0-dev-exp_container", - "ecs_9.0.0-dev-exp_data_stream", - "ecs_9.0.0-dev-exp_destination", - "ecs_9.0.0-dev-exp_device", - "ecs_9.0.0-dev-exp_dll", - "ecs_9.0.0-dev-exp_dns", - "ecs_9.0.0-dev-exp_ecs", - "ecs_9.0.0-dev-exp_email", - "ecs_9.0.0-dev-exp_error", - "ecs_9.0.0-dev-exp_event", - "ecs_9.0.0-dev-exp_faas", - "ecs_9.0.0-dev-exp_file", - "ecs_9.0.0-dev-exp_group", - "ecs_9.0.0-dev-exp_host", - "ecs_9.0.0-dev-exp_http", - "ecs_9.0.0-dev-exp_log", - "ecs_9.0.0-dev-exp_network", - "ecs_9.0.0-dev-exp_observer", - "ecs_9.0.0-dev-exp_orchestrator", - "ecs_9.0.0-dev-exp_organization", - "ecs_9.0.0-dev-exp_package", - "ecs_9.0.0-dev-exp_process", - "ecs_9.0.0-dev-exp_registry", - "ecs_9.0.0-dev-exp_related", - "ecs_9.0.0-dev-exp_rule", - "ecs_9.0.0-dev-exp_server", - "ecs_9.0.0-dev-exp_service", - "ecs_9.0.0-dev-exp_source", - "ecs_9.0.0-dev-exp_threat", - "ecs_9.0.0-dev-exp_tls", - "ecs_9.0.0-dev-exp_tracing", - "ecs_9.0.0-dev-exp_url", - "ecs_9.0.0-dev-exp_user_agent", - "ecs_9.0.0-dev-exp_user", - "ecs_9.0.0-dev-exp_volume", - "ecs_9.0.0-dev-exp_vulnerability" + "ecs_9.1.0-dev-exp_cgroup", + "ecs_9.1.0-dev-exp_base", + "ecs_9.1.0-dev-exp_agent", + "ecs_9.1.0-dev-exp_client", + "ecs_9.1.0-dev-exp_cloud", + "ecs_9.1.0-dev-exp_container", + "ecs_9.1.0-dev-exp_data_stream", + "ecs_9.1.0-dev-exp_destination", + "ecs_9.1.0-dev-exp_device", + "ecs_9.1.0-dev-exp_dll", + "ecs_9.1.0-dev-exp_dns", + "ecs_9.1.0-dev-exp_ecs", + "ecs_9.1.0-dev-exp_email", + "ecs_9.1.0-dev-exp_error", + "ecs_9.1.0-dev-exp_event", + "ecs_9.1.0-dev-exp_faas", + "ecs_9.1.0-dev-exp_file", + "ecs_9.1.0-dev-exp_group", + "ecs_9.1.0-dev-exp_host", + "ecs_9.1.0-dev-exp_http", + "ecs_9.1.0-dev-exp_log", + "ecs_9.1.0-dev-exp_network", + "ecs_9.1.0-dev-exp_observer", + "ecs_9.1.0-dev-exp_orchestrator", + "ecs_9.1.0-dev-exp_organization", + "ecs_9.1.0-dev-exp_package", + "ecs_9.1.0-dev-exp_process", + "ecs_9.1.0-dev-exp_registry", + "ecs_9.1.0-dev-exp_related", + "ecs_9.1.0-dev-exp_rule", + "ecs_9.1.0-dev-exp_server", + "ecs_9.1.0-dev-exp_service", + "ecs_9.1.0-dev-exp_source", + "ecs_9.1.0-dev-exp_threat", + "ecs_9.1.0-dev-exp_tls", + "ecs_9.1.0-dev-exp_tracing", + "ecs_9.1.0-dev-exp_url", + "ecs_9.1.0-dev-exp_user_agent", + "ecs_9.1.0-dev-exp_user", + "ecs_9.1.0-dev-exp_volume", + "ecs_9.1.0-dev-exp_vulnerability" ], "index_patterns": [ "try-ecs-*" diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 9fd27b6a14..03aa833c05 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -4,7 +4,7 @@ ], "mappings": { "_meta": { - "version": "9.0.0-dev+exp" + "version": "9.1.0-dev+exp" }, "date_detection": false, "dynamic_templates": [ diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index ddcd580f9d..4828dd7766 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 9.0.0-dev. +# based on ECS version 9.1.0-dev. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 1b7b9815da..dfb0ba76b5 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -1,1787 +1,1787 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -9.0.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -9.0.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -9.0.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer. -9.0.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -9.0.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -9.0.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -9.0.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -9.0.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -9.0.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -9.0.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -9.0.0-dev,true,client,client.address,keyword,extended,,,Client network address. -9.0.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -9.0.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. -9.0.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -9.0.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -9.0.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client. -9.0.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev,true,client,client.ip,ip,core,,,IP address of the client. -9.0.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. -9.0.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -9.0.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port -9.0.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -9.0.0-dev,true,client,client.port,long,core,,,Port of the client. -9.0.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -9.0.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. -9.0.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev,true,client,client.user.email,keyword,extended,,,User email address. -9.0.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. -9.0.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. -9.0.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." -9.0.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -9.0.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. -9.0.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -9.0.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id. -9.0.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name. -9.0.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." -9.0.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -9.0.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine. -9.0.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -9.0.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id. -9.0.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name. -9.0.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider. -9.0.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." -9.0.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name. -9.0.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. -9.0.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. -9.0.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. -9.0.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." -9.0.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name. -9.0.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id. -9.0.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name. -9.0.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." -9.0.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -9.0.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine. -9.0.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -9.0.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id. -9.0.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name. -9.0.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider. -9.0.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." -9.0.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name. -9.0.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." -9.0.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks. -9.0.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks. -9.0.0-dev,true,container,container.id,keyword,core,,,Unique container id. -9.0.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on. -9.0.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. -9.0.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. -9.0.0-dev,true,container,container.labels,object,extended,,,Image labels. -9.0.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1." -9.0.0-dev,true,container,container.name,keyword,extended,,,Container name. -9.0.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. -9.0.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. -9.0.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. -9.0.0-dev,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode. -9.0.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data. -9.0.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data. -9.0.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream. -9.0.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. -9.0.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -9.0.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. -9.0.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -9.0.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -9.0.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination. -9.0.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. -9.0.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. -9.0.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -9.0.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -9.0.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -9.0.0-dev,true,destination,destination.port,long,core,,,Port of the destination. -9.0.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -9.0.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. -9.0.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address. -9.0.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device. -9.0.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer. -9.0.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model. -9.0.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model. -9.0.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device -9.0.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -9.0.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -9.0.0-dev,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -9.0.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -9.0.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -9.0.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -9.0.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -9.0.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -9.0.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -9.0.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -9.0.0-dev,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -9.0.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. -9.0.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. -9.0.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. -9.0.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash. -9.0.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. -9.0.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. -9.0.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash. -9.0.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. -9.0.0-dev,true,dll,dll.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the dll file. -9.0.0-dev,true,dll,dll.origin_url,keyword,extended,,http://example.com/files/example.dll,The URL where the dll file is hosted. -9.0.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. -9.0.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -9.0.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -9.0.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -9.0.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -9.0.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -9.0.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -9.0.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -9.0.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -9.0.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -9.0.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -9.0.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file. -9.0.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name. -9.0.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size. -9.0.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. -9.0.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -9.0.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. -9.0.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. -9.0.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. -9.0.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -9.0.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. -9.0.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -9.0.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. -9.0.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -9.0.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. -9.0.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." -9.0.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. -9.0.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -9.0.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data -9.0.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. -9.0.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." -9.0.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -9.0.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments. -9.0.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension. -9.0.0-dev,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -9.0.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash. -9.0.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash. -9.0.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash. -9.0.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash. -9.0.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash. -9.0.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -9.0.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash. -9.0.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file. -9.0.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file. -9.0.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size. -9.0.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient -9.0.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient -9.0.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message. -9.0.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered. -9.0.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message. -9.0.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address. -9.0.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source. -9.0.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header. -9.0.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed. -9.0.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to. -9.0.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender. -9.0.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message. -9.0.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message. -9.0.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient -9.0.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email. -9.0.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. -9.0.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. -9.0.0-dev,true,error,error.message,match_only_text,core,,,Error message. -9.0.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. -9.0.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text. -9.0.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -9.0.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -9.0.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. -9.0.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -9.0.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. -9.0.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -9.0.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -9.0.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -9.0.0-dev,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed. -9.0.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -9.0.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -9.0.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -9.0.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -9.0.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -9.0.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -9.0.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -9.0.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. -9.0.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -9.0.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -9.0.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -9.0.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -9.0.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. -9.0.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. -9.0.0-dev,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed. -9.0.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. -9.0.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -9.0.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -9.0.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function. -9.0.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution. -9.0.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function. -9.0.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function. -9.0.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc." -9.0.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution. -9.0.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function. -9.0.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. -9.0.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -9.0.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -9.0.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -9.0.0-dev,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -9.0.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -9.0.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -9.0.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -9.0.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -9.0.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -9.0.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -9.0.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -9.0.0-dev,true,file,file.created,date,extended,,,File creation time. -9.0.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. -9.0.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -9.0.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. -9.0.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -9.0.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -9.0.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -9.0.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -9.0.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date. -9.0.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types. -9.0.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -9.0.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -9.0.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file. -9.0.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header. -9.0.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -9.0.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -9.0.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -9.0.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file. -9.0.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header. -9.0.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -9.0.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file. -9.0.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -9.0.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -9.0.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name. -9.0.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -9.0.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -9.0.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type. -9.0.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -9.0.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -9.0.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list. -9.0.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -9.0.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type. -9.0.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -9.0.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -9.0.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -9.0.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. -9.0.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -9.0.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. -9.0.0-dev,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -9.0.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. -9.0.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. -9.0.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. -9.0.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash. -9.0.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. -9.0.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -9.0.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash. -9.0.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -9.0.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. -9.0.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. -9.0.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file. -9.0.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name. -9.0.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. -9.0.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. -9.0.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -9.0.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. -9.0.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. -9.0.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -9.0.0-dev,true,file,file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. -9.0.0-dev,true,file,file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. -9.0.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. -9.0.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -9.0.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -9.0.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -9.0.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -9.0.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -9.0.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -9.0.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -9.0.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -9.0.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -9.0.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -9.0.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -9.0.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -9.0.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file. -9.0.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name. -9.0.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size. -9.0.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. -9.0.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks. -9.0.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks. -9.0.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -9.0.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -9.0.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -9.0.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -9.0.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -9.0.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -9.0.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -9.0.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -9.0.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -9.0.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -9.0.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -9.0.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -9.0.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -9.0.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -9.0.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -9.0.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -9.0.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -9.0.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -9.0.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code -9.0.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -9.0.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -9.0.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -9.0.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -9.0.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. -9.0.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,group,group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. -9.0.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id -9.0.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." -9.0.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. -9.0.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. -9.0.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -9.0.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host. -9.0.0-dev,true,host,host.id,keyword,core,,,Unique host id. -9.0.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. -9.0.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. -9.0.0-dev,true,host,host.name,keyword,core,,,Name of the host. -9.0.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. -9.0.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. -9.0.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. -9.0.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. -9.0.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -9.0.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.0.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.0.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -9.0.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -9.0.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." -9.0.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -9.0.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." -9.0.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -9.0.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode -9.0.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. -9.0.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. -9.0.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. -9.0.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." -9.0.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." -9.0.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -9.0.0-dev,true,host,host.type,keyword,core,,,Type of host. -9.0.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. -9.0.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -9.0.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. -9.0.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body. -9.0.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -9.0.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. -9.0.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method. -9.0.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -9.0.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. -9.0.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -9.0.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. -9.0.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body. -9.0.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -9.0.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. -9.0.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -9.0.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. -9.0.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. -9.0.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. -9.0.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -9.0.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event. -9.0.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. -9.0.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. -9.0.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata -9.0.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message. -9.0.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. -9.0.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. -9.0.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message. -9.0.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message. -9.0.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. -9.0.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message. -9.0.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. -9.0.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. -9.0.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages. -9.0.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version. -9.0.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. -9.0.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -9.0.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -9.0.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -9.0.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -9.0.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -9.0.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information -9.0.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -9.0.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -9.0.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -9.0.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -9.0.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name. -9.0.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -9.0.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -9.0.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -9.0.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -9.0.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information -9.0.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias -9.0.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID -9.0.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name -9.0.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -9.0.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -9.0.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone -9.0.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. -9.0.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information -9.0.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias -9.0.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID -9.0.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name -9.0.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -9.0.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -9.0.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone -9.0.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -9.0.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer. -9.0.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -9.0.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -9.0.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.0.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.0.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -9.0.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -9.0.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." -9.0.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -9.0.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." -9.0.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -9.0.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. -9.0.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. -9.0.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. -9.0.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. -9.0.0-dev,true,observer,observer.version,keyword,core,,,Observer version. -9.0.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action -9.0.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster. -9.0.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster. -9.0.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster. -9.0.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster. -9.0.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place. -9.0.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups). -9.0.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource. -9.0.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon. -9.0.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed. -9.0.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource. -9.0.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon. -9.0.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed. -9.0.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon. -9.0.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)." -9.0.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -9.0.0-dev,true,organization,organization.name,keyword,extended,,,Organization name. -9.0.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name. -9.0.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. -9.0.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -9.0.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -9.0.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. -9.0.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." -9.0.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. -9.0.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license -9.0.0-dev,true,package,package.name,keyword,extended,,go,Package name -9.0.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -9.0.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL -9.0.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. -9.0.0-dev,true,package,package.type,keyword,extended,,rpm,Package type -9.0.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version -9.0.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -9.0.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. -9.0.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -9.0.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -9.0.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -9.0.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -9.0.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -9.0.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -9.0.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -9.0.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -9.0.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -9.0.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -9.0.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -9.0.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -9.0.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -9.0.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date. -9.0.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types. -9.0.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -9.0.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -9.0.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file. -9.0.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header. -9.0.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -9.0.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -9.0.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -9.0.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file. -9.0.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header. -9.0.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -9.0.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file. -9.0.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -9.0.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags. -9.0.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name. -9.0.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -9.0.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -9.0.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type. -9.0.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -9.0.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -9.0.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list. -9.0.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections. -9.0.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type. -9.0.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -9.0.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -9.0.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. -9.0.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -9.0.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array. -9.0.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source. -9.0.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader. -9.0.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -9.0.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name. -9.0.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name. -9.0.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id. -9.0.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id. -9.0.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. -9.0.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id. -9.0.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id. -9.0.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. -9.0.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device. -9.0.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. -9.0.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -9.0.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id. -9.0.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. -9.0.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -9.0.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings. -9.0.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. -9.0.0-dev,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -9.0.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array. -9.0.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -9.0.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name. -9.0.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name. -9.0.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id. -9.0.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. -9.0.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device. -9.0.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. -9.0.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -9.0.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id. -9.0.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. -9.0.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -9.0.0-dev,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -9.0.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. -9.0.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. -9.0.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. -9.0.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash. -9.0.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -9.0.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. -9.0.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash. -9.0.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -9.0.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process. -9.0.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped. -9.0.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped. -9.0.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped. -9.0.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting." -9.0.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8. -9.0.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event. -9.0.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. -9.0.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken. -9.0.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. -9.0.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. -9.0.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file. -9.0.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name. -9.0.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. -9.0.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. -9.0.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. -9.0.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name. -9.0.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -9.0.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -9.0.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -9.0.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -9.0.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -9.0.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -9.0.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -9.0.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -9.0.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -9.0.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -9.0.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -9.0.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -9.0.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -9.0.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -9.0.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -9.0.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date. -9.0.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types. -9.0.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -9.0.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -9.0.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file. -9.0.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header. -9.0.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -9.0.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -9.0.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -9.0.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file. -9.0.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header. -9.0.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -9.0.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file. -9.0.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -9.0.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags. -9.0.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name. -9.0.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -9.0.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -9.0.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type. -9.0.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -9.0.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -9.0.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list. -9.0.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections. -9.0.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type. -9.0.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -9.0.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -9.0.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. -9.0.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. -9.0.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id. -9.0.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id. -9.0.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -9.0.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. -9.0.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. -9.0.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. -9.0.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash. -9.0.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -9.0.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. -9.0.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash. -9.0.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -9.0.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. -9.0.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. -9.0.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file. -9.0.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name. -9.0.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. -9.0.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. -9.0.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name. -9.0.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name. -9.0.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -9.0.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -9.0.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -9.0.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -9.0.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -9.0.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -9.0.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -9.0.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -9.0.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -9.0.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -9.0.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file. -9.0.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name. -9.0.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size. -9.0.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. -9.0.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. -9.0.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. -9.0.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -9.0.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. -9.0.0-dev,true,process,process.parent.title,keyword,extended,,,Process title. -9.0.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title. -9.0.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device. -9.0.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number. -9.0.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -9.0.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -9.0.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id. -9.0.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. -9.0.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -9.0.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -9.0.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -9.0.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -9.0.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -9.0.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -9.0.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -9.0.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -9.0.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -9.0.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -9.0.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -9.0.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file. -9.0.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name. -9.0.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size. -9.0.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev,true,process,process.pid,long,core,,4242,Process id. -9.0.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -9.0.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array. -9.0.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -9.0.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array. -9.0.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -9.0.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. -9.0.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. -9.0.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name. -9.0.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name. -9.0.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id. -9.0.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -9.0.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id. -9.0.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. -9.0.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id. -9.0.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id. -9.0.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. -9.0.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device. -9.0.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. -9.0.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -9.0.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id. -9.0.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. -9.0.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -9.0.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -9.0.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. -9.0.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. -9.0.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. -9.0.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. -9.0.0-dev,true,process,process.title,keyword,extended,,,Process title. -9.0.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title. -9.0.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device. -9.0.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number. -9.0.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. -9.0.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width -9.0.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height -9.0.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -9.0.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id. -9.0.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. -9.0.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. -9.0.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -9.0.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -9.0.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -9.0.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -9.0.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -9.0.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -9.0.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. -9.0.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. -9.0.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. -9.0.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -9.0.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event. -9.0.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author -9.0.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category -9.0.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description -9.0.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID -9.0.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license -9.0.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name -9.0.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -9.0.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset -9.0.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID -9.0.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version -9.0.0-dev,true,server,server.address,keyword,extended,,,Server network address. -9.0.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -9.0.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. -9.0.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -9.0.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -9.0.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server. -9.0.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev,true,server,server.ip,ip,core,,,IP address of the server. -9.0.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. -9.0.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip -9.0.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port -9.0.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -9.0.0-dev,true,server,server.port,long,core,,,Port of the server. -9.0.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -9.0.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. -9.0.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev,true,server,server.user.email,keyword,extended,,,User email address. -9.0.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service. -9.0.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service. -9.0.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -9.0.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -9.0.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. -9.0.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. -9.0.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. -9.0.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. -9.0.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service. -9.0.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service. -9.0.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -9.0.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -9.0.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service. -9.0.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node. -9.0.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. -9.0.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. -9.0.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service. -9.0.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service. -9.0.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service. -9.0.0-dev,true,service,service.state,keyword,core,,,Current state of the service. -9.0.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service. -9.0.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service. -9.0.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -9.0.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -9.0.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service. -9.0.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node. -9.0.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. -9.0.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. -9.0.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service. -9.0.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service. -9.0.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service. -9.0.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. -9.0.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. -9.0.0-dev,true,source,source.address,keyword,extended,,,Source network address. -9.0.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -9.0.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. -9.0.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -9.0.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -9.0.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source. -9.0.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev,true,source,source.ip,ip,core,,,IP address of the source. -9.0.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. -9.0.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip -9.0.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port -9.0.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -9.0.0-dev,true,source,source.port,long,core,,,Port of the source. -9.0.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -9.0.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. -9.0.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev,true,source,source.user.email,keyword,extended,,,User email address. -9.0.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -9.0.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event. -9.0.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event. -9.0.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -9.0.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. -9.0.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -9.0.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating -9.0.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description -9.0.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address -9.0.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -9.0.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -9.0.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -9.0.0-dev,true,threat,threat.enrichments.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -9.0.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -9.0.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -9.0.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. -9.0.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. -9.0.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address -9.0.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. -9.0.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking -9.0.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version -9.0.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. -9.0.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name -9.0.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port -9.0.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider -9.0.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL -9.0.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -9.0.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -9.0.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -9.0.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -9.0.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -9.0.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -9.0.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written. -9.0.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics -9.0.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed -9.0.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator -9.0.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. -9.0.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -9.0.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. -9.0.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -9.0.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -9.0.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -9.0.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -9.0.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request. -9.0.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -9.0.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443." -9.0.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request. -9.0.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -9.0.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url. -9.0.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. -9.0.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -9.0.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. -9.0.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value -9.0.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field -9.0.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier -9.0.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index -9.0.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match -9.0.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match -9.0.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID. -9.0.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed. -9.0.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed. -9.0.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed. -9.0.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -9.0.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. -9.0.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. -9.0.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. -9.0.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. -9.0.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -9.0.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. -9.0.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. -9.0.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating -9.0.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description -9.0.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address -9.0.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. -9.0.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -9.0.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. -9.0.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -9.0.0-dev,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process -9.0.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -9.0.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -9.0.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -9.0.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -9.0.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. -9.0.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -9.0.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -9.0.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time. -9.0.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. -9.0.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. -9.0.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. -9.0.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -9.0.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -9.0.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -9.0.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -9.0.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date. -9.0.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. -9.0.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. -9.0.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -9.0.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. -9.0.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. -9.0.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -9.0.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -9.0.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -9.0.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. -9.0.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. -9.0.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. -9.0.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. -9.0.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -9.0.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -9.0.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. -9.0.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -9.0.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -9.0.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. -9.0.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -9.0.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -9.0.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. -9.0.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -9.0.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. -9.0.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -9.0.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -9.0.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -9.0.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. -9.0.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -9.0.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. -9.0.0-dev,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. -9.0.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash. -9.0.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. -9.0.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. -9.0.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. -9.0.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. -9.0.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -9.0.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. -9.0.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -9.0.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -9.0.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. -9.0.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. -9.0.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -9.0.0-dev,true,threat,threat.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. -9.0.0-dev,true,threat,threat.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. -9.0.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. -9.0.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -9.0.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -9.0.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -9.0.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -9.0.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -9.0.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -9.0.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. -9.0.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. -9.0.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. -9.0.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. -9.0.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -9.0.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. -9.0.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. -9.0.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. -9.0.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -9.0.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. -9.0.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -9.0.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. -9.0.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -9.0.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. -9.0.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. -9.0.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. -9.0.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. -9.0.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. -9.0.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks. -9.0.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. -9.0.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -9.0.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -9.0.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -9.0.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -9.0.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -9.0.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -9.0.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -9.0.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -9.0.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -9.0.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -9.0.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -9.0.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -9.0.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code -9.0.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -9.0.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -9.0.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -9.0.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -9.0.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. -9.0.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. -9.0.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. -9.0.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. -9.0.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. -9.0.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. -9.0.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. -9.0.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -9.0.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -9.0.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. -9.0.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -9.0.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. -9.0.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -9.0.0-dev,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator -9.0.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address -9.0.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. -9.0.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking -9.0.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version -9.0.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. -9.0.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name -9.0.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port -9.0.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider -9.0.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL -9.0.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -9.0.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -9.0.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -9.0.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -9.0.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -9.0.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -9.0.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. -9.0.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics -9.0.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed -9.0.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator -9.0.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. -9.0.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -9.0.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. -9.0.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -9.0.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -9.0.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -9.0.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -9.0.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request. -9.0.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -9.0.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443." -9.0.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request. -9.0.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -9.0.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url. -9.0.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. -9.0.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request. -9.0.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -9.0.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -9.0.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -9.0.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -9.0.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -9.0.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -9.0.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -9.0.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -9.0.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -9.0.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -9.0.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -9.0.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -9.0.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -9.0.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -9.0.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -9.0.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -9.0.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code -9.0.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -9.0.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -9.0.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -9.0.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -9.0.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. -9.0.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software -9.0.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software -9.0.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. -9.0.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. -9.0.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL. -9.0.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type. -9.0.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. -9.0.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. -9.0.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. -9.0.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. -9.0.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. -9.0.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name. -9.0.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. -9.0.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. -9.0.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. -9.0.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name. -9.0.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. -9.0.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -9.0.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -9.0.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. -9.0.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. -9.0.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. -9.0.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -9.0.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -9.0.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -9.0.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -9.0.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -9.0.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -9.0.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -9.0.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. -9.0.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -9.0.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -9.0.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -9.0.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -9.0.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -9.0.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -9.0.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -9.0.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -9.0.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -9.0.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -9.0.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -9.0.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -9.0.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -9.0.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -9.0.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -9.0.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -9.0.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code -9.0.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -9.0.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -9.0.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -9.0.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -9.0.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. -9.0.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." -9.0.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -9.0.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. -9.0.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -9.0.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -9.0.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. -9.0.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. -9.0.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. -9.0.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -9.0.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -9.0.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -9.0.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -9.0.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -9.0.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. -9.0.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -9.0.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -9.0.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes -9.0.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -9.0.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -9.0.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -9.0.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -9.0.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. -9.0.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. -9.0.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -9.0.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -9.0.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -9.0.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -9.0.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -9.0.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -9.0.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -9.0.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code -9.0.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -9.0.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -9.0.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -9.0.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -9.0.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -9.0.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. -9.0.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. -9.0.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. -9.0.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -9.0.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -9.0.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. -9.0.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -9.0.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -9.0.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -9.0.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -9.0.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -9.0.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -9.0.0-dev,true,url,url.password,keyword,extended,,,Password of the request. -9.0.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -9.0.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -9.0.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. -9.0.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -9.0.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -9.0.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. -9.0.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -9.0.0-dev,true,url,url.username,keyword,extended,,,Username of the request. -9.0.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev,true,user,user.changes.email,keyword,extended,,,User email address. -9.0.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev,true,user,user.effective.email,keyword,extended,,,User email address. -9.0.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev,true,user,user.email,keyword,extended,,,User email address. -9.0.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. -9.0.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. -9.0.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. -9.0.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." -9.0.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." -9.0.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. -9.0.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -9.0.0-dev,true,user,user.target.email,keyword,extended,,,User email address. -9.0.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." -9.0.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. -9.0.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -9.0.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. -9.0.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -9.0.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. -9.0.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user. -9.0.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -9.0.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -9.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -9.0.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -9.0.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -9.0.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -9.0.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.0.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -9.0.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -9.0.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -9.0.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." -9.0.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -9.0.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." -9.0.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -9.0.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. -9.0.0-dev,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device. -9.0.0-dev,true,volume,volume.default_access,keyword,extended,,,Bus type of the device. -9.0.0-dev,true,volume,volume.device_name,keyword,extended,,,Device name of the volume. -9.0.0-dev,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type. -9.0.0-dev,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device. -9.0.0-dev,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type. -9.0.0-dev,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume. -9.0.0-dev,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device. -9.0.0-dev,true,volume,volume.product_id,keyword,extended,,,ProductID of the device. -9.0.0-dev,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume. -9.0.0-dev,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable. -9.0.0-dev,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device. -9.0.0-dev,true,volume,volume.size,long,extended,,,Size of the volume device in bytes. -9.0.0-dev,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device. -9.0.0-dev,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device. -9.0.0-dev,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable. -9.0.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. -9.0.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. -9.0.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -9.0.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -9.0.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. -9.0.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. -9.0.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -9.0.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. -9.0.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. -9.0.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. -9.0.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. -9.0.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. -9.0.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. -9.0.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +9.1.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +9.1.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +9.1.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer. +9.1.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +9.1.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +9.1.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +9.1.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +9.1.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +9.1.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +9.1.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +9.1.0-dev,true,client,client.address,keyword,extended,,,Client network address. +9.1.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.1.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.1.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.1.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +9.1.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client. +9.1.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev,true,client,client.ip,ip,core,,,IP address of the client. +9.1.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. +9.1.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +9.1.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port +9.1.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +9.1.0-dev,true,client,client.port,long,core,,,Port of the client. +9.1.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +9.1.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +9.1.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev,true,client,client.user.email,keyword,extended,,,User email address. +9.1.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +9.1.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +9.1.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." +9.1.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +9.1.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +9.1.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +9.1.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id. +9.1.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name. +9.1.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." +9.1.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +9.1.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine. +9.1.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +9.1.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id. +9.1.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name. +9.1.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider. +9.1.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." +9.1.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name. +9.1.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +9.1.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +9.1.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +9.1.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." +9.1.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name. +9.1.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id. +9.1.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name. +9.1.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." +9.1.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +9.1.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine. +9.1.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +9.1.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id. +9.1.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name. +9.1.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider. +9.1.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." +9.1.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name. +9.1.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +9.1.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +9.1.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +9.1.0-dev,true,container,container.id,keyword,core,,,Unique container id. +9.1.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on. +9.1.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +9.1.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. +9.1.0-dev,true,container,container.labels,object,extended,,,Image labels. +9.1.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1." +9.1.0-dev,true,container,container.name,keyword,extended,,,Container name. +9.1.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +9.1.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +9.1.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +9.1.0-dev,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode. +9.1.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data. +9.1.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data. +9.1.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream. +9.1.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. +9.1.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.1.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.1.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.1.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +9.1.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination. +9.1.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. +9.1.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. +9.1.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +9.1.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +9.1.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +9.1.0-dev,true,destination,destination.port,long,core,,,Port of the destination. +9.1.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +9.1.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +9.1.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address. +9.1.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device. +9.1.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer. +9.1.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model. +9.1.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model. +9.1.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device +9.1.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.1.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.1.0-dev,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.1.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.1.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.1.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.1.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.1.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.1.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.1.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.1.0-dev,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.1.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +9.1.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +9.1.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +9.1.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash. +9.1.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +9.1.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.1.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash. +9.1.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +9.1.0-dev,true,dll,dll.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the dll file. +9.1.0-dev,true,dll,dll.origin_url,keyword,extended,,http://example.com/files/example.dll,The URL where the dll file is hosted. +9.1.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +9.1.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.1.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.1.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.1.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.1.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.1.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.1.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.1.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.1.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.1.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.1.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file. +9.1.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name. +9.1.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.1.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. +9.1.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +9.1.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. +9.1.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +9.1.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +9.1.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +9.1.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +9.1.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +9.1.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +9.1.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +9.1.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. +9.1.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +9.1.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +9.1.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +9.1.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +9.1.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +9.1.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +9.1.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +9.1.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments. +9.1.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension. +9.1.0-dev,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.1.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash. +9.1.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash. +9.1.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash. +9.1.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash. +9.1.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash. +9.1.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.1.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash. +9.1.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file. +9.1.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file. +9.1.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size. +9.1.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient +9.1.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient +9.1.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message. +9.1.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered. +9.1.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message. +9.1.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address. +9.1.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source. +9.1.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header. +9.1.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed. +9.1.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to. +9.1.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender. +9.1.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message. +9.1.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message. +9.1.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient +9.1.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email. +9.1.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. +9.1.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. +9.1.0-dev,true,error,error.message,match_only_text,core,,,Error message. +9.1.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +9.1.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text. +9.1.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +9.1.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +9.1.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. +9.1.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +9.1.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. +9.1.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +9.1.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +9.1.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +9.1.0-dev,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed. +9.1.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +9.1.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +9.1.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +9.1.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +9.1.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +9.1.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +9.1.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +9.1.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. +9.1.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +9.1.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +9.1.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +9.1.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +9.1.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. +9.1.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. +9.1.0-dev,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed. +9.1.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. +9.1.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +9.1.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +9.1.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function. +9.1.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution. +9.1.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function. +9.1.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function. +9.1.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc." +9.1.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution. +9.1.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function. +9.1.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. +9.1.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +9.1.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.1.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.1.0-dev,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.1.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.1.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.1.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.1.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.1.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.1.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.1.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.1.0-dev,true,file,file.created,date,extended,,,File creation time. +9.1.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +9.1.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +9.1.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. +9.1.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +9.1.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.1.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.1.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.1.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date. +9.1.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types. +9.1.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.1.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.1.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.1.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.1.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.1.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.1.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.1.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.1.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header. +9.1.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.1.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file. +9.1.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.1.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.1.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name. +9.1.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.1.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.1.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type. +9.1.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.1.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.1.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list. +9.1.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.1.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type. +9.1.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.1.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.1.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +9.1.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. +9.1.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +9.1.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +9.1.0-dev,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.1.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +9.1.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +9.1.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +9.1.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash. +9.1.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +9.1.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.1.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash. +9.1.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +9.1.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. +9.1.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. +9.1.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file. +9.1.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name. +9.1.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. +9.1.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. +9.1.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +9.1.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +9.1.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. +9.1.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.1.0-dev,true,file,file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. +9.1.0-dev,true,file,file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. +9.1.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. +9.1.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.1.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.1.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.1.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.1.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.1.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.1.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.1.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.1.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.1.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.1.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.1.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.1.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file. +9.1.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name. +9.1.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.1.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. +9.1.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks. +9.1.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks. +9.1.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +9.1.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +9.1.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.1.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.1.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.1.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.1.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.1.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.1.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.1.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.1.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.1.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.1.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.1.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.1.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.1.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.1.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.1.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.1.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.1.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.1.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.1.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.1.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.1.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +9.1.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,group,group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +9.1.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id +9.1.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +9.1.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +9.1.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +9.1.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +9.1.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host. +9.1.0-dev,true,host,host.id,keyword,core,,,Unique host id. +9.1.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. +9.1.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. +9.1.0-dev,true,host,host.name,keyword,core,,,Name of the host. +9.1.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +9.1.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +9.1.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +9.1.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. +9.1.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.1.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.1.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.1.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.1.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.1.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.1.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.1.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.1.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.1.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode +9.1.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.1.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.1.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.1.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.1.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.1.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.1.0-dev,true,host,host.type,keyword,core,,,Type of host. +9.1.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +9.1.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +9.1.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. +9.1.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body. +9.1.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +9.1.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. +9.1.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method. +9.1.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +9.1.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. +9.1.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +9.1.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. +9.1.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body. +9.1.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +9.1.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +9.1.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +9.1.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. +9.1.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +9.1.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. +9.1.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +9.1.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event. +9.1.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +9.1.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +9.1.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata +9.1.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message. +9.1.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +9.1.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +9.1.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message. +9.1.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message. +9.1.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +9.1.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message. +9.1.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +9.1.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +9.1.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages. +9.1.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version. +9.1.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. +9.1.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +9.1.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +9.1.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +9.1.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +9.1.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +9.1.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information +9.1.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.1.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.1.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +9.1.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +9.1.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name. +9.1.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +9.1.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +9.1.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.1.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.1.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information +9.1.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +9.1.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +9.1.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +9.1.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.1.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.1.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +9.1.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +9.1.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information +9.1.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +9.1.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +9.1.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +9.1.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +9.1.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +9.1.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +9.1.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +9.1.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer. +9.1.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +9.1.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.1.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.1.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.1.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.1.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.1.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.1.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.1.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.1.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.1.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +9.1.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +9.1.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +9.1.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +9.1.0-dev,true,observer,observer.version,keyword,core,,,Observer version. +9.1.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action +9.1.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster. +9.1.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster. +9.1.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster. +9.1.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster. +9.1.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place. +9.1.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups). +9.1.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource. +9.1.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon. +9.1.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed. +9.1.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource. +9.1.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon. +9.1.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed. +9.1.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon. +9.1.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)." +9.1.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +9.1.0-dev,true,organization,organization.name,keyword,extended,,,Organization name. +9.1.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name. +9.1.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +9.1.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +9.1.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +9.1.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +9.1.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +9.1.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. +9.1.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +9.1.0-dev,true,package,package.name,keyword,extended,,go,Package name +9.1.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +9.1.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +9.1.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. +9.1.0-dev,true,package,package.type,keyword,extended,,rpm,Package type +9.1.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version +9.1.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.1.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. +9.1.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.1.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.1.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.1.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.1.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.1.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.1.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.1.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.1.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.1.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.1.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.1.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.1.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.1.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date. +9.1.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types. +9.1.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.1.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.1.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.1.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.1.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.1.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.1.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.1.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.1.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header. +9.1.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.1.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file. +9.1.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.1.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.1.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name. +9.1.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.1.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.1.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type. +9.1.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.1.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.1.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list. +9.1.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.1.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type. +9.1.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.1.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.1.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. +9.1.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.1.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array. +9.1.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source. +9.1.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader. +9.1.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.1.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name. +9.1.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name. +9.1.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id. +9.1.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id. +9.1.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. +9.1.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id. +9.1.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id. +9.1.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. +9.1.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device. +9.1.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.1.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.1.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id. +9.1.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.1.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.1.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings. +9.1.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. +9.1.0-dev,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.1.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array. +9.1.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.1.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name. +9.1.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name. +9.1.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id. +9.1.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. +9.1.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device. +9.1.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.1.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.1.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id. +9.1.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.1.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.1.0-dev,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.1.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +9.1.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +9.1.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +9.1.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash. +9.1.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +9.1.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.1.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash. +9.1.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.1.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process. +9.1.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped. +9.1.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped. +9.1.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped. +9.1.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting." +9.1.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8. +9.1.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event. +9.1.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. +9.1.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken. +9.1.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. +9.1.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. +9.1.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file. +9.1.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name. +9.1.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. +9.1.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. +9.1.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. +9.1.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name. +9.1.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.1.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +9.1.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.1.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.1.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.1.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.1.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.1.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.1.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.1.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.1.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.1.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.1.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.1.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.1.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.1.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date. +9.1.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types. +9.1.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.1.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.1.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.1.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.1.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.1.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.1.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.1.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.1.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header. +9.1.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.1.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file. +9.1.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.1.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.1.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name. +9.1.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.1.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.1.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type. +9.1.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.1.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.1.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list. +9.1.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.1.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type. +9.1.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.1.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.1.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. +9.1.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +9.1.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id. +9.1.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id. +9.1.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.1.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +9.1.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +9.1.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +9.1.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash. +9.1.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +9.1.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.1.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash. +9.1.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.1.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. +9.1.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. +9.1.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file. +9.1.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name. +9.1.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. +9.1.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. +9.1.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name. +9.1.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name. +9.1.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.1.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.1.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.1.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.1.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.1.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.1.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.1.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.1.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.1.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.1.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file. +9.1.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name. +9.1.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.1.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. +9.1.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. +9.1.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. +9.1.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +9.1.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. +9.1.0-dev,true,process,process.parent.title,keyword,extended,,,Process title. +9.1.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title. +9.1.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device. +9.1.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.1.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.1.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +9.1.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id. +9.1.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.1.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.1.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.1.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.1.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.1.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.1.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.1.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.1.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.1.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.1.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.1.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.1.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file. +9.1.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name. +9.1.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.1.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev,true,process,process.pid,long,core,,4242,Process id. +9.1.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.1.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array. +9.1.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +9.1.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array. +9.1.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +9.1.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable. +9.1.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +9.1.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name. +9.1.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name. +9.1.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id. +9.1.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +9.1.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id. +9.1.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. +9.1.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id. +9.1.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id. +9.1.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. +9.1.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device. +9.1.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.1.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.1.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id. +9.1.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.1.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.1.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +9.1.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. +9.1.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. +9.1.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. +9.1.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. +9.1.0-dev,true,process,process.title,keyword,extended,,,Process title. +9.1.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title. +9.1.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device. +9.1.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number. +9.1.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +9.1.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width +9.1.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height +9.1.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +9.1.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id. +9.1.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. +9.1.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +9.1.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +9.1.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +9.1.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +9.1.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +9.1.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +9.1.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +9.1.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +9.1.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +9.1.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +9.1.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +9.1.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event. +9.1.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +9.1.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +9.1.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +9.1.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID +9.1.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +9.1.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +9.1.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +9.1.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +9.1.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +9.1.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version +9.1.0-dev,true,server,server.address,keyword,extended,,,Server network address. +9.1.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.1.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.1.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.1.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +9.1.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server. +9.1.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev,true,server,server.ip,ip,core,,,IP address of the server. +9.1.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. +9.1.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip +9.1.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port +9.1.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +9.1.0-dev,true,server,server.port,long,core,,,Port of the server. +9.1.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +9.1.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +9.1.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev,true,server,server.user.email,keyword,extended,,,User email address. +9.1.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service. +9.1.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service. +9.1.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +9.1.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +9.1.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +9.1.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +9.1.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. +9.1.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. +9.1.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service. +9.1.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service. +9.1.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +9.1.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +9.1.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service. +9.1.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node. +9.1.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. +9.1.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. +9.1.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service. +9.1.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service. +9.1.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service. +9.1.0-dev,true,service,service.state,keyword,core,,,Current state of the service. +9.1.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service. +9.1.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service. +9.1.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +9.1.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +9.1.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service. +9.1.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node. +9.1.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. +9.1.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. +9.1.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service. +9.1.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service. +9.1.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service. +9.1.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +9.1.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. +9.1.0-dev,true,source,source.address,keyword,extended,,,Source network address. +9.1.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.1.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.1.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.1.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +9.1.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source. +9.1.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev,true,source,source.ip,ip,core,,,IP address of the source. +9.1.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. +9.1.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip +9.1.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port +9.1.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +9.1.0-dev,true,source,source.port,long,core,,,Port of the source. +9.1.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +9.1.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +9.1.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev,true,source,source.user.email,keyword,extended,,,User email address. +9.1.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +9.1.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event. +9.1.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event. +9.1.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.1.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.1.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.1.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating +9.1.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +9.1.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +9.1.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +9.1.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +9.1.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.1.0-dev,true,threat,threat.enrichments.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.1.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +9.1.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.1.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. +9.1.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +9.1.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +9.1.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +9.1.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking +9.1.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version +9.1.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +9.1.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name +9.1.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port +9.1.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +9.1.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +9.1.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +9.1.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +9.1.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +9.1.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +9.1.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +9.1.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +9.1.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written. +9.1.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics +9.1.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed +9.1.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +9.1.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. +9.1.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +9.1.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +9.1.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.1.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.1.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.1.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.1.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request. +9.1.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +9.1.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +9.1.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request. +9.1.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +9.1.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +9.1.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +9.1.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.1.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. +9.1.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value +9.1.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field +9.1.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier +9.1.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index +9.1.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match +9.1.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match +9.1.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID. +9.1.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed. +9.1.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed. +9.1.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed. +9.1.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +9.1.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. +9.1.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. +9.1.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. +9.1.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. +9.1.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +9.1.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. +9.1.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name. +9.1.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating +9.1.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +9.1.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +9.1.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. +9.1.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +9.1.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +9.1.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +9.1.0-dev,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process +9.1.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +9.1.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +9.1.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +9.1.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +9.1.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +9.1.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +9.1.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +9.1.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time. +9.1.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +9.1.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +9.1.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. +9.1.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +9.1.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +9.1.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +9.1.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +9.1.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +9.1.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +9.1.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +9.1.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +9.1.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +9.1.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +9.1.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +9.1.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +9.1.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +9.1.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +9.1.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +9.1.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +9.1.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +9.1.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +9.1.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +9.1.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +9.1.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +9.1.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +9.1.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +9.1.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +9.1.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +9.1.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +9.1.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +9.1.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +9.1.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +9.1.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +9.1.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +9.1.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. +9.1.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +9.1.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +9.1.0-dev,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. +9.1.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash. +9.1.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. +9.1.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. +9.1.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. +9.1.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. +9.1.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +9.1.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. +9.1.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +9.1.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +9.1.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +9.1.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. +9.1.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +9.1.0-dev,true,threat,threat.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file. +9.1.0-dev,true,threat,threat.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted. +9.1.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. +9.1.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.1.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +9.1.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +9.1.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +9.1.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +9.1.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +9.1.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +9.1.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types. +9.1.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +9.1.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +9.1.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +9.1.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +9.1.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types. +9.1.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +9.1.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +9.1.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +9.1.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +9.1.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. +9.1.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +9.1.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. +9.1.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. +9.1.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +9.1.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +9.1.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. +9.1.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks. +9.1.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. +9.1.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +9.1.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +9.1.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.1.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.1.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.1.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.1.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.1.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.1.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.1.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.1.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.1.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.1.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.1.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.1.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.1.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.1.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.1.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.1.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.1.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.1.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.1.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.1.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.1.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. +9.1.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +9.1.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. +9.1.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. +9.1.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +9.1.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +9.1.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. +9.1.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +9.1.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +9.1.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. +9.1.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +9.1.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. +9.1.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +9.1.0-dev,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator +9.1.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +9.1.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +9.1.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking +9.1.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version +9.1.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +9.1.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name +9.1.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port +9.1.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +9.1.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +9.1.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +9.1.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +9.1.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +9.1.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +9.1.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +9.1.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +9.1.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. +9.1.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics +9.1.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed +9.1.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +9.1.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. +9.1.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +9.1.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +9.1.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.1.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.1.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.1.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.1.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request. +9.1.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +9.1.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +9.1.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request. +9.1.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +9.1.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +9.1.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +9.1.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request. +9.1.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.1.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.1.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.1.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.1.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.1.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.1.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.1.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.1.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.1.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.1.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.1.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.1.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.1.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.1.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.1.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.1.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.1.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.1.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.1.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.1.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.1.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. +9.1.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software +9.1.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software +9.1.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. +9.1.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. +9.1.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL. +9.1.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type. +9.1.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +9.1.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +9.1.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +9.1.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +9.1.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +9.1.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name. +9.1.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +9.1.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +9.1.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +9.1.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name. +9.1.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +9.1.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +9.1.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +9.1.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +9.1.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +9.1.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +9.1.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +9.1.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +9.1.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +9.1.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +9.1.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +9.1.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +9.1.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +9.1.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +9.1.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.1.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.1.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.1.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.1.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.1.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.1.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.1.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.1.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.1.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.1.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.1.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.1.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.1.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.1.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.1.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.1.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.1.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.1.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.1.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.1.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.1.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +9.1.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +9.1.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +9.1.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +9.1.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +9.1.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +9.1.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +9.1.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +9.1.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +9.1.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +9.1.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +9.1.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +9.1.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +9.1.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +9.1.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +9.1.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +9.1.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +9.1.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +9.1.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +9.1.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +9.1.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +9.1.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +9.1.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +9.1.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +9.1.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +9.1.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +9.1.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +9.1.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +9.1.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +9.1.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +9.1.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +9.1.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code +9.1.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +9.1.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +9.1.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +9.1.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +9.1.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +9.1.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +9.1.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +9.1.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +9.1.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +9.1.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +9.1.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. +9.1.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +9.1.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +9.1.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.1.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +9.1.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.1.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +9.1.0-dev,true,url,url.password,keyword,extended,,,Password of the request. +9.1.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +9.1.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +9.1.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. +9.1.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +9.1.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +9.1.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +9.1.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +9.1.0-dev,true,url,url.username,keyword,extended,,,Username of the request. +9.1.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev,true,user,user.changes.email,keyword,extended,,,User email address. +9.1.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev,true,user,user.effective.email,keyword,extended,,,User email address. +9.1.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev,true,user,user.email,keyword,extended,,,User email address. +9.1.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +9.1.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +9.1.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +9.1.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +9.1.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +9.1.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +9.1.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +9.1.0-dev,true,user,user.target.email,keyword,extended,,,User email address. +9.1.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available." +9.1.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +9.1.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +9.1.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. +9.1.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +9.1.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +9.1.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user. +9.1.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +9.1.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +9.1.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +9.1.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +9.1.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +9.1.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +9.1.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.1.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +9.1.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +9.1.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +9.1.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version." +9.1.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +9.1.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +9.1.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +9.1.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +9.1.0-dev,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device. +9.1.0-dev,true,volume,volume.default_access,keyword,extended,,,Bus type of the device. +9.1.0-dev,true,volume,volume.device_name,keyword,extended,,,Device name of the volume. +9.1.0-dev,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type. +9.1.0-dev,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device. +9.1.0-dev,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type. +9.1.0-dev,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume. +9.1.0-dev,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device. +9.1.0-dev,true,volume,volume.product_id,keyword,extended,,,ProductID of the device. +9.1.0-dev,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume. +9.1.0-dev,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable. +9.1.0-dev,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device. +9.1.0-dev,true,volume,volume.size,long,extended,,,Size of the volume device in bytes. +9.1.0-dev,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device. +9.1.0-dev,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device. +9.1.0-dev,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable. +9.1.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +9.1.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +9.1.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +9.1.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +9.1.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +9.1.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +9.1.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +9.1.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +9.1.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +9.1.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +9.1.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +9.1.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +9.1.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +9.1.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/generated/elasticsearch/composable/component/agent.json b/generated/elasticsearch/composable/component/agent.json index 7f17383fbb..a87fa619d2 100644 --- a/generated/elasticsearch/composable/component/agent.json +++ b/generated/elasticsearch/composable/component/agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/base.json b/generated/elasticsearch/composable/component/base.json index 2bc1a03b2e..11306e3c7e 100644 --- a/generated/elasticsearch/composable/component/base.json +++ b/generated/elasticsearch/composable/component/base.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json index 38d392ce1a..c091212a06 100644 --- a/generated/elasticsearch/composable/component/client.json +++ b/generated/elasticsearch/composable/component/client.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json index 51d4fee30e..c6f45f59e6 100644 --- a/generated/elasticsearch/composable/component/cloud.json +++ b/generated/elasticsearch/composable/component/cloud.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/container.json b/generated/elasticsearch/composable/component/container.json index b797cddd81..c785eac82b 100644 --- a/generated/elasticsearch/composable/component/container.json +++ b/generated/elasticsearch/composable/component/container.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/data_stream.json b/generated/elasticsearch/composable/component/data_stream.json index c40f2d272c..29473ad3fd 100644 --- a/generated/elasticsearch/composable/component/data_stream.json +++ b/generated/elasticsearch/composable/component/data_stream.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json index 6fbccde9d2..57aec803d1 100644 --- a/generated/elasticsearch/composable/component/destination.json +++ b/generated/elasticsearch/composable/component/destination.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/device.json b/generated/elasticsearch/composable/component/device.json index 337d0743ea..56b40cafb2 100644 --- a/generated/elasticsearch/composable/component/device.json +++ b/generated/elasticsearch/composable/component/device.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json index 7a25221e0a..10fb5cbaf9 100644 --- a/generated/elasticsearch/composable/component/dll.json +++ b/generated/elasticsearch/composable/component/dll.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/dns.json b/generated/elasticsearch/composable/component/dns.json index 813cbb04a5..423ee5dc83 100644 --- a/generated/elasticsearch/composable/component/dns.json +++ b/generated/elasticsearch/composable/component/dns.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/ecs.json b/generated/elasticsearch/composable/component/ecs.json index 38df701cbf..3601879b40 100644 --- a/generated/elasticsearch/composable/component/ecs.json +++ b/generated/elasticsearch/composable/component/ecs.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/email.json b/generated/elasticsearch/composable/component/email.json index 5d41501e18..f83defb32b 100644 --- a/generated/elasticsearch/composable/component/email.json +++ b/generated/elasticsearch/composable/component/email.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-email.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/error.json b/generated/elasticsearch/composable/component/error.json index 7093c10d23..eaf599c61b 100644 --- a/generated/elasticsearch/composable/component/error.json +++ b/generated/elasticsearch/composable/component/error.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/event.json b/generated/elasticsearch/composable/component/event.json index 1d6aca7979..ece5f3c3c4 100644 --- a/generated/elasticsearch/composable/component/event.json +++ b/generated/elasticsearch/composable/component/event.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/faas.json b/generated/elasticsearch/composable/component/faas.json index b8c16712d2..8e82ab0530 100644 --- a/generated/elasticsearch/composable/component/faas.json +++ b/generated/elasticsearch/composable/component/faas.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-faas.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json index 65f6d93ac6..db8dc5e21d 100644 --- a/generated/elasticsearch/composable/component/file.json +++ b/generated/elasticsearch/composable/component/file.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/group.json b/generated/elasticsearch/composable/component/group.json index a291ac1005..15b9409ab1 100644 --- a/generated/elasticsearch/composable/component/group.json +++ b/generated/elasticsearch/composable/component/group.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json index 708b50da37..d500522a45 100644 --- a/generated/elasticsearch/composable/component/host.json +++ b/generated/elasticsearch/composable/component/host.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/http.json b/generated/elasticsearch/composable/component/http.json index 1ed457a5aa..02b1aa9e09 100644 --- a/generated/elasticsearch/composable/component/http.json +++ b/generated/elasticsearch/composable/component/http.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/log.json b/generated/elasticsearch/composable/component/log.json index aa8a9b2bec..84e35558b3 100644 --- a/generated/elasticsearch/composable/component/log.json +++ b/generated/elasticsearch/composable/component/log.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/network.json b/generated/elasticsearch/composable/component/network.json index 8c09be1804..7fefb4db0b 100644 --- a/generated/elasticsearch/composable/component/network.json +++ b/generated/elasticsearch/composable/component/network.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/observer.json b/generated/elasticsearch/composable/component/observer.json index 851b69552b..ada4aeb373 100644 --- a/generated/elasticsearch/composable/component/observer.json +++ b/generated/elasticsearch/composable/component/observer.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/orchestrator.json b/generated/elasticsearch/composable/component/orchestrator.json index d2b0dd3172..c52f17d7fa 100644 --- a/generated/elasticsearch/composable/component/orchestrator.json +++ b/generated/elasticsearch/composable/component/orchestrator.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/organization.json b/generated/elasticsearch/composable/component/organization.json index 8730348984..e142a4745b 100644 --- a/generated/elasticsearch/composable/component/organization.json +++ b/generated/elasticsearch/composable/component/organization.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/package.json b/generated/elasticsearch/composable/component/package.json index bdaa12d928..1c6a5f2cb3 100644 --- a/generated/elasticsearch/composable/component/package.json +++ b/generated/elasticsearch/composable/component/package.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json index 10b00ecc8c..a5a60a56b5 100644 --- a/generated/elasticsearch/composable/component/process.json +++ b/generated/elasticsearch/composable/component/process.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/registry.json b/generated/elasticsearch/composable/component/registry.json index b8a73bd78b..d9f1fa97e7 100644 --- a/generated/elasticsearch/composable/component/registry.json +++ b/generated/elasticsearch/composable/component/registry.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/related.json b/generated/elasticsearch/composable/component/related.json index d49f75237f..17b7b88626 100644 --- a/generated/elasticsearch/composable/component/related.json +++ b/generated/elasticsearch/composable/component/related.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/rule.json b/generated/elasticsearch/composable/component/rule.json index bc9d02fa69..5806a9772a 100644 --- a/generated/elasticsearch/composable/component/rule.json +++ b/generated/elasticsearch/composable/component/rule.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json index 1b3aa1e545..787741f234 100644 --- a/generated/elasticsearch/composable/component/server.json +++ b/generated/elasticsearch/composable/component/server.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json index b71751b1df..c3f847c441 100644 --- a/generated/elasticsearch/composable/component/service.json +++ b/generated/elasticsearch/composable/component/service.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json index 88ce7768f5..d5a8c50ddb 100644 --- a/generated/elasticsearch/composable/component/source.json +++ b/generated/elasticsearch/composable/component/source.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json index 5831dbf2c4..dea27a37a7 100644 --- a/generated/elasticsearch/composable/component/threat.json +++ b/generated/elasticsearch/composable/component/threat.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/tls.json b/generated/elasticsearch/composable/component/tls.json index 2bfd41ff15..c99b9b9d10 100644 --- a/generated/elasticsearch/composable/component/tls.json +++ b/generated/elasticsearch/composable/component/tls.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/tracing.json b/generated/elasticsearch/composable/component/tracing.json index 38b9537b3f..74b33a85e6 100644 --- a/generated/elasticsearch/composable/component/tracing.json +++ b/generated/elasticsearch/composable/component/tracing.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/url.json b/generated/elasticsearch/composable/component/url.json index 399b98f67a..c9f9dec599 100644 --- a/generated/elasticsearch/composable/component/url.json +++ b/generated/elasticsearch/composable/component/url.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json index ca38a8750b..5feab3c4b7 100644 --- a/generated/elasticsearch/composable/component/user.json +++ b/generated/elasticsearch/composable/component/user.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/user_agent.json b/generated/elasticsearch/composable/component/user_agent.json index cd15db5f42..7813afdcbc 100644 --- a/generated/elasticsearch/composable/component/user_agent.json +++ b/generated/elasticsearch/composable/component/user_agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/volume.json b/generated/elasticsearch/composable/component/volume.json index 76e7568b17..60de35c6cd 100644 --- a/generated/elasticsearch/composable/component/volume.json +++ b/generated/elasticsearch/composable/component/volume.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-volume.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/component/vulnerability.json b/generated/elasticsearch/composable/component/vulnerability.json index 3a4d823412..886b6a0d94 100644 --- a/generated/elasticsearch/composable/component/vulnerability.json +++ b/generated/elasticsearch/composable/component/vulnerability.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json index f3f690bd4a..ccd18e85be 100644 --- a/generated/elasticsearch/composable/template.json +++ b/generated/elasticsearch/composable/template.json @@ -1,49 +1,49 @@ { "_meta": { "description": "Sample composable template that includes all ECS fields", - "ecs_version": "9.0.0-dev" + "ecs_version": "9.1.0-dev" }, "composed_of": [ - "ecs_9.0.0-dev_base", - "ecs_9.0.0-dev_agent", - "ecs_9.0.0-dev_client", - "ecs_9.0.0-dev_cloud", - "ecs_9.0.0-dev_container", - "ecs_9.0.0-dev_data_stream", - "ecs_9.0.0-dev_destination", - "ecs_9.0.0-dev_device", - "ecs_9.0.0-dev_dll", - "ecs_9.0.0-dev_dns", - "ecs_9.0.0-dev_ecs", - "ecs_9.0.0-dev_email", - "ecs_9.0.0-dev_error", - "ecs_9.0.0-dev_event", - "ecs_9.0.0-dev_faas", - "ecs_9.0.0-dev_file", - "ecs_9.0.0-dev_group", - "ecs_9.0.0-dev_host", - "ecs_9.0.0-dev_http", - "ecs_9.0.0-dev_log", - "ecs_9.0.0-dev_network", - "ecs_9.0.0-dev_observer", - "ecs_9.0.0-dev_orchestrator", - "ecs_9.0.0-dev_organization", - "ecs_9.0.0-dev_package", - "ecs_9.0.0-dev_process", - "ecs_9.0.0-dev_registry", - "ecs_9.0.0-dev_related", - "ecs_9.0.0-dev_rule", - "ecs_9.0.0-dev_server", - "ecs_9.0.0-dev_service", - "ecs_9.0.0-dev_source", - "ecs_9.0.0-dev_threat", - "ecs_9.0.0-dev_tls", - "ecs_9.0.0-dev_tracing", - "ecs_9.0.0-dev_url", - "ecs_9.0.0-dev_user_agent", - "ecs_9.0.0-dev_user", - "ecs_9.0.0-dev_volume", - "ecs_9.0.0-dev_vulnerability" + "ecs_9.1.0-dev_base", + "ecs_9.1.0-dev_agent", + "ecs_9.1.0-dev_client", + "ecs_9.1.0-dev_cloud", + "ecs_9.1.0-dev_container", + "ecs_9.1.0-dev_data_stream", + "ecs_9.1.0-dev_destination", + "ecs_9.1.0-dev_device", + "ecs_9.1.0-dev_dll", + "ecs_9.1.0-dev_dns", + "ecs_9.1.0-dev_ecs", + "ecs_9.1.0-dev_email", + "ecs_9.1.0-dev_error", + "ecs_9.1.0-dev_event", + "ecs_9.1.0-dev_faas", + "ecs_9.1.0-dev_file", + "ecs_9.1.0-dev_group", + "ecs_9.1.0-dev_host", + "ecs_9.1.0-dev_http", + "ecs_9.1.0-dev_log", + "ecs_9.1.0-dev_network", + "ecs_9.1.0-dev_observer", + "ecs_9.1.0-dev_orchestrator", + "ecs_9.1.0-dev_organization", + "ecs_9.1.0-dev_package", + "ecs_9.1.0-dev_process", + "ecs_9.1.0-dev_registry", + "ecs_9.1.0-dev_related", + "ecs_9.1.0-dev_rule", + "ecs_9.1.0-dev_server", + "ecs_9.1.0-dev_service", + "ecs_9.1.0-dev_source", + "ecs_9.1.0-dev_threat", + "ecs_9.1.0-dev_tls", + "ecs_9.1.0-dev_tracing", + "ecs_9.1.0-dev_url", + "ecs_9.1.0-dev_user_agent", + "ecs_9.1.0-dev_user", + "ecs_9.1.0-dev_volume", + "ecs_9.1.0-dev_vulnerability" ], "index_patterns": [ "try-ecs-*" diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index e67f1f33c5..505721a3b8 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -4,7 +4,7 @@ ], "mappings": { "_meta": { - "version": "9.0.0-dev" + "version": "9.1.0-dev" }, "date_detection": false, "dynamic_templates": [ diff --git a/version b/version index f6c8661fed..f17a1af6a4 100644 --- a/version +++ b/version @@ -1 +1 @@ -9.0.0-dev +9.1.0-dev From 02adc3779b83c47a4970a6516caf772ce6dfc57c Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Fri, 28 Feb 2025 18:50:07 -0800 Subject: [PATCH 10/12] Add asciidoc release notes (#2440) --- docs/release-notes/8.17.asciidoc | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 docs/release-notes/8.17.asciidoc diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc new file mode 100644 index 0000000000..36a5d6ad8f --- /dev/null +++ b/docs/release-notes/8.17.asciidoc @@ -0,0 +1,18 @@ +[[ecs-release-notes-8.17.0]] +=== 8.17.0 + +[[schema-changes-8.17.0]] +[float] +==== Schema changes + +[[schema-bugfixes-8.17.0]] +[float] +===== Bugfixes +* Fix link rendering issues and usage of http in links. {ecs_pull}2423[#2423] + +[[schema-improvements-8.17.0]] +[float] +===== Improvements + +* Increase ignore_above value for url.query. {ecs_pull}2424[#2424] +* Set synthetic_source_keep = none on fields that represent sets. {ecs_pull}2422[#2422] From fe1163a0a7df5d669fcc21faef91c19dce1fa021 Mon Sep 17 00:00:00 2001 From: Colleen McGinnis Date: Tue, 4 Mar 2025 14:16:12 -0600 Subject: [PATCH 11/12] add the new ci checks (#2450) Co-authored-by: Mike Birnstiehl <114418652+mdbirnstiehl@users.noreply.github.com> --- .../workflows/comment-on-asciidoc-changes.yml | 21 ------------------- .github/workflows/docs-build.yml | 19 +++++++++++++++++ .github/workflows/docs-cleanup.yml | 14 +++++++++++++ 3 files changed, 33 insertions(+), 21 deletions(-) delete mode 100644 .github/workflows/comment-on-asciidoc-changes.yml create mode 100644 .github/workflows/docs-build.yml create mode 100644 .github/workflows/docs-cleanup.yml diff --git a/.github/workflows/comment-on-asciidoc-changes.yml b/.github/workflows/comment-on-asciidoc-changes.yml deleted file mode 100644 index 8e5f836b14..0000000000 --- a/.github/workflows/comment-on-asciidoc-changes.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -name: Comment on PR for .asciidoc changes - -on: - # We need to use pull_request_target to be able to comment on PRs from forks - pull_request_target: - types: - - synchronize - - opened - - reopened - branches: - - main - - master - - "9.0" - -jobs: - comment-on-asciidoc-change: - permissions: - contents: read - pull-requests: write - uses: elastic/docs-builder/.github/workflows/comment-on-asciidoc-changes.yml@main diff --git a/.github/workflows/docs-build.yml b/.github/workflows/docs-build.yml new file mode 100644 index 0000000000..bb466166d0 --- /dev/null +++ b/.github/workflows/docs-build.yml @@ -0,0 +1,19 @@ +name: docs-build + +on: + push: + branches: + - main + pull_request_target: ~ + merge_group: ~ + +jobs: + docs-preview: + uses: elastic/docs-builder/.github/workflows/preview-build.yml@main + with: + path-pattern: docs/** + permissions: + deployments: write + id-token: write + contents: read + pull-requests: read diff --git a/.github/workflows/docs-cleanup.yml b/.github/workflows/docs-cleanup.yml new file mode 100644 index 0000000000..f83e017b5f --- /dev/null +++ b/.github/workflows/docs-cleanup.yml @@ -0,0 +1,14 @@ +name: docs-cleanup + +on: + pull_request_target: + types: + - closed + +jobs: + docs-preview: + uses: elastic/docs-builder/.github/workflows/preview-cleanup.yml@main + permissions: + contents: none + id-token: write + deployments: write From e7bade65cce862f9c2568d6004f95990ef65f317 Mon Sep 17 00:00:00 2001 From: "elastic-renovate-prod[bot]" <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Date: Tue, 4 Mar 2025 19:26:02 -0800 Subject: [PATCH 12/12] Update dependency mock to v5.2.0 (#2453) Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Michael Wolf --- scripts/requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/requirements-dev.txt b/scripts/requirements-dev.txt index ca8f64bcc8..6b0caeef43 100644 --- a/scripts/requirements-dev.txt +++ b/scripts/requirements-dev.txt @@ -1,6 +1,6 @@ # License: MIT autopep8==2.3.2 # License: BSD -mock==5.1.0 +mock==5.2.0 # License: GPLv3 yamllint==1.35.1