From 16514a1f1c9ad4b27b509da59f1e64418958a44e Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 13 Aug 2020 09:18:05 -0500 Subject: [PATCH 01/90] bumping version for 1.x release branch (#921) --- code/go/ecs/version.go | 2 +- docs/fields.asciidoc | 2 +- docs/index.asciidoc | 2 +- generated/beats/fields.ecs.yml | 2 +- generated/csv/fields.csv | 1344 +++++++++++------------ generated/elasticsearch/6/template.json | 2 +- generated/elasticsearch/7/template.json | 2 +- version | 2 +- 8 files changed, 679 insertions(+), 679 deletions(-) diff --git a/code/go/ecs/version.go b/code/go/ecs/version.go index 8ccedee43b..ceb8cf7d1d 100644 --- a/code/go/ecs/version.go +++ b/code/go/ecs/version.go @@ -20,4 +20,4 @@ package ecs // Version is the Elastic Common Schema version from which this was generated. -const Version = "1.6.0-dev" +const Version = "1.7.0-dev" diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index 9200f84a2a..1de0fae653 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -2,7 +2,7 @@ [[ecs-field-reference]] == {ecs} Field Reference -This is the documentation of ECS version 1.6.0-dev. +This is the documentation of ECS version 1.7.0-dev. ECS defines multiple groups of related fields. They are called "field sets". The <> field set is the only one whose fields are defined diff --git a/docs/index.asciidoc b/docs/index.asciidoc index 809916f660..c71023e83a 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -8,7 +8,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[] [[ecs-reference]] == Overview -This is the documentation of ECS version 1.6.0-dev. +This is the documentation of ECS version 1.7.0-dev. [float] === What is ECS? diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 1b2d7679cd..d3a48009c1 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.6.0-dev. +# based on ECS version 1.7.0-dev. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 45ef39de6b..ba520eba06 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -1,673 +1,673 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -1.6.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -1.6.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -1.6.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. -1.6.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -1.6.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -1.6.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -1.6.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -1.6.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -1.6.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -1.6.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -1.6.0-dev,true,client,client.address,keyword,extended,,,Client network address. -1.6.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.6.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.6.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.6.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -1.6.0-dev,true,client,client.domain,keyword,core,,,Client domain. -1.6.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -1.6.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -1.6.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.6.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -1.6.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.6.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.6.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.6.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -1.6.0-dev,true,client,client.ip,ip,core,,,IP address of the client. -1.6.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. -1.6.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -1.6.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port -1.6.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -1.6.0-dev,true,client,client.port,long,core,,,Port of the client. -1.6.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -1.6.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.6.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.6.0-dev,true,client,client.user.email,keyword,extended,,,User email address. -1.6.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.6.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.6.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.6.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.6.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. -1.6.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.6.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. -1.6.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user. -1.6.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. -1.6.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.6.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. -1.6.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. -1.6.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. -1.6.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -1.6.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. -1.6.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -1.6.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. -1.6.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. -1.6.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. -1.6.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. -1.6.0-dev,true,container,container.id,keyword,core,,,Unique container id. -1.6.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. -1.6.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. -1.6.0-dev,true,container,container.labels,object,extended,,,Image labels. -1.6.0-dev,true,container,container.name,keyword,extended,,,Container name. -1.6.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. -1.6.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. -1.6.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.6.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.6.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.6.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -1.6.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain. -1.6.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -1.6.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -1.6.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.6.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -1.6.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.6.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.6.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.6.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -1.6.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. -1.6.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. -1.6.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -1.6.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -1.6.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -1.6.0-dev,true,destination,destination.port,long,core,,,Port of the destination. -1.6.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -1.6.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.6.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.6.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address. -1.6.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.6.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.6.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.6.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.6.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -1.6.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.6.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. -1.6.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user. -1.6.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. -1.6.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.6.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.6.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.6.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.6.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.6.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.6.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. -1.6.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. -1.6.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. -1.6.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. -1.6.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. -1.6.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. -1.6.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.6.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.6.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.6.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.6.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.6.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.6.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.6.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. -1.6.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -1.6.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. -1.6.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. -1.6.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. -1.6.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -1.6.0-dev,true,dns,dns.header_flags,keyword,extended,array,"['RD', 'RA']",Array of DNS header flags. -1.6.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -1.6.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. -1.6.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -1.6.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. -1.6.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." -1.6.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. -1.6.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.6.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -1.6.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"['10.10.10.10', '10.10.10.11']",Array containing all IPs seen in answers.data -1.6.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. -1.6.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." -1.6.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -1.6.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. -1.6.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. -1.6.0-dev,true,error,error.message,text,core,,,Error message. -1.6.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text. -1.6.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. -1.6.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -1.6.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -1.6.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -1.6.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. -1.6.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -1.6.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -1.6.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -1.6.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -1.6.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -1.6.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -1.6.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -1.6.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -1.6.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -1.6.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -1.6.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -1.6.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. -1.6.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -1.6.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -1.6.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -1.6.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -1.6.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. -1.6.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. -1.6.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -1.6.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. -1.6.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -1.6.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -1.6.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. -1.6.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -1.6.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.6.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.6.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.6.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.6.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.6.0-dev,true,file,file.created,date,extended,,,File creation time. -1.6.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. -1.6.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -1.6.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. -1.6.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -1.6.0-dev,true,file,file.extension,keyword,extended,,png,File extension. -1.6.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -1.6.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. -1.6.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. -1.6.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. -1.6.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. -1.6.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. -1.6.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -1.6.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -1.6.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. -1.6.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. -1.6.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -1.6.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. -1.6.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.6.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.6.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.6.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.6.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.6.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.6.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.6.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.6.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.6.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. -1.6.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks. -1.6.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. -1.6.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -1.6.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -1.6.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.6.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.6.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.6.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.6.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.6.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.6.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.6.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.6.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.6.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.6.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.6.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.6.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.6.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.6.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.6.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.6.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.6.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.6.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.6.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.6.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.6.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.6.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.6.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. -1.6.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.6.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.6.0-dev,true,group,group.name,keyword,extended,,,Name of the group. -1.6.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. -1.6.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -1.6.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. -1.6.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. -1.6.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.6.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. -1.6.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.6.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.6.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.6.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -1.6.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host. -1.6.0-dev,true,host,host.id,keyword,core,,,Unique host id. -1.6.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. -1.6.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. -1.6.0-dev,true,host,host.name,keyword,core,,,Name of the host. -1.6.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.6.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.6.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.6.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.6.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -1.6.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.6.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.6.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.6.0-dev,true,host,host.type,keyword,core,,,Type of host. -1.6.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. -1.6.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.6.0-dev,true,host,host.user.email,keyword,extended,,,User email address. -1.6.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.6.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.6.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.6.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.6.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. -1.6.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.6.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. -1.6.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user. -1.6.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. -1.6.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.6.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -1.6.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body. -1.6.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. -1.6.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -1.6.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. -1.6.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. -1.6.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -1.6.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body. -1.6.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. -1.6.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -1.6.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -1.6.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. -1.6.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. -1.6.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. -1.6.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -1.6.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. -1.6.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. -1.6.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. -1.6.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." -1.6.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata -1.6.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. -1.6.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. -1.6.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. -1.6.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. -1.6.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. -1.6.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. -1.6.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -1.6.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -1.6.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -1.6.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -1.6.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -1.6.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information -1.6.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.6.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.6.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -1.6.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -1.6.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. -1.6.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -1.6.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -1.6.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.6.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.6.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information -1.6.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias -1.6.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID -1.6.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name -1.6.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.6.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.6.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone -1.6.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. -1.6.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. -1.6.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.6.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. -1.6.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.6.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.6.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.6.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. -1.6.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. -1.6.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information -1.6.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias -1.6.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID -1.6.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name -1.6.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.6.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.6.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone -1.6.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -1.6.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer -1.6.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -1.6.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.6.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.6.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.6.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.6.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -1.6.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.6.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.6.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.6.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. -1.6.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. -1.6.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. -1.6.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. -1.6.0-dev,true,observer,observer.version,keyword,core,,,Observer version. -1.6.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -1.6.0-dev,true,organization,organization.name,keyword,extended,,,Organization name. -1.6.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. -1.6.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. -1.6.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -1.6.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -1.6.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. -1.6.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." -1.6.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. -1.6.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license -1.6.0-dev,true,package,package.name,keyword,extended,,go,Package name -1.6.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -1.6.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL -1.6.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. -1.6.0-dev,true,package,package.type,keyword,extended,,rpm,Package type -1.6.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version -1.6.0-dev,true,process,process.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. -1.6.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. -1.6.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.6.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.6.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.6.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.6.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.6.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.6.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.6.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.6.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.6.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.6.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. -1.6.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. -1.6.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. -1.6.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. -1.6.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -1.6.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. -1.6.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. -1.6.0-dev,true,process,process.parent.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. -1.6.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -1.6.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.6.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.6.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.6.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.6.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.6.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.6.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.6.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.6.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.6.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.6.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. -1.6.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. -1.6.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. -1.6.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. -1.6.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -1.6.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name. -1.6.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. -1.6.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.6.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.6.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.6.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.6.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.6.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.6.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.6.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.6.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. -1.6.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. -1.6.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.6.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -1.6.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. -1.6.0-dev,true,process,process.parent.title,keyword,extended,,,Process title. -1.6.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. -1.6.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -1.6.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. -1.6.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.6.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.6.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.6.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.6.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.6.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.6.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.6.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.6.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.6.0-dev,true,process,process.pid,long,core,,4242,Process id. -1.6.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. -1.6.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.6.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. -1.6.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. -1.6.0-dev,true,process,process.title,keyword,extended,,,Process title. -1.6.0-dev,true,process,process.title.text,text,extended,,,Process title. -1.6.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -1.6.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. -1.6.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.6.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -1.6.0-dev,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -1.6.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -1.6.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -1.6.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -1.6.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -1.6.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. -1.6.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. -1.6.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -1.6.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. -1.6.0-dev,true,rule,rule.author,keyword,extended,array,['Star-Lord'],Rule author -1.6.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category -1.6.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description -1.6.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID -1.6.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license -1.6.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name -1.6.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -1.6.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset -1.6.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID -1.6.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version -1.6.0-dev,true,server,server.address,keyword,extended,,,Server network address. -1.6.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.6.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.6.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.6.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -1.6.0-dev,true,server,server.domain,keyword,core,,,Server domain. -1.6.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -1.6.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -1.6.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.6.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -1.6.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.6.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.6.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.6.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -1.6.0-dev,true,server,server.ip,ip,core,,,IP address of the server. -1.6.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. -1.6.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip -1.6.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port -1.6.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -1.6.0-dev,true,server,server.port,long,core,,,Port of the server. -1.6.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -1.6.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.6.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.6.0-dev,true,server,server.user.email,keyword,extended,,,User email address. -1.6.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.6.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.6.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.6.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.6.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. -1.6.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.6.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. -1.6.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user. -1.6.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. -1.6.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.6.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -1.6.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -1.6.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. -1.6.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. -1.6.0-dev,true,service,service.state,keyword,core,,,Current state of the service. -1.6.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. -1.6.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. -1.6.0-dev,true,source,source.address,keyword,extended,,,Source network address. -1.6.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.6.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.6.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.6.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -1.6.0-dev,true,source,source.domain,keyword,core,,,Source domain. -1.6.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -1.6.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -1.6.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.6.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -1.6.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.6.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.6.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.6.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -1.6.0-dev,true,source,source.ip,ip,core,,,IP address of the source. -1.6.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. -1.6.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip -1.6.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port -1.6.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -1.6.0-dev,true,source,source.port,long,core,,,Port of the source. -1.6.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -1.6.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.6.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.6.0-dev,true,source,source.user.email,keyword,extended,,,User email address. -1.6.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.6.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.6.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.6.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.6.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. -1.6.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.6.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. -1.6.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user. -1.6.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. -1.6.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.6.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -1.6.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -1.6.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0040,Threat tactic id. -1.6.0-dev,true,threat,threat.tactic.name,keyword,extended,array,impact,Threat tactic. -1.6.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0040/,Threat tactic URL reference. -1.6.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1499,Threat technique id. -1.6.0-dev,true,threat,threat.technique.name,keyword,extended,array,Endpoint Denial of Service,Threat technique name. -1.6.0-dev,true,threat,threat.technique.name.text,text,extended,,Endpoint Denial of Service,Threat technique name. -1.6.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1499/,Threat technique URL reference. -1.6.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -1.6.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -1.6.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client. -1.6.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. -1.6.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. -1.6.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -1.6.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -1.6.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -1.6.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -1.6.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -1.6.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -1.6.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -1.6.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",Array of ciphers offered by the client during the client hello. -1.6.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.6.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.6.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.6.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.6.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.6.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.6.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.6.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.6.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.6.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.6.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.6.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.6.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.6.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.6.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.6.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.6.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.6.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.6.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.6.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.6.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.6.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.6.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.6.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. -1.6.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." -1.6.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -1.6.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. -1.6.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -1.6.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -1.6.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the server. -1.6.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. -1.6.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. -1.6.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -1.6.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -1.6.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -1.6.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -1.6.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -1.6.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. -1.6.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.6.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.6.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.6.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.6.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.6.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.6.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.6.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.6.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.6.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.6.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.6.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.6.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.6.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.6.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.6.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.6.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.6.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.6.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.6.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.6.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.6.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.6.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.6.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. -1.6.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. -1.6.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. -1.6.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -1.6.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -1.6.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. -1.6.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url. -1.6.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -1.6.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.6.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.6.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.6.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.6.0-dev,true,url,url.password,keyword,extended,,,Password of the request. -1.6.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""." -1.6.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -1.6.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. -1.6.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -1.6.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -1.6.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.6.0-dev,true,url,url.username,keyword,extended,,,Username of the request. -1.6.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.6.0-dev,true,user,user.email,keyword,extended,,,User email address. -1.6.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.6.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.6.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.6.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.6.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. -1.6.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.6.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. -1.6.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user. -1.6.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. -1.6.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.6.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -1.6.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -1.6.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.6.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.6.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.6.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.6.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.6.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.6.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -1.6.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.6.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.6.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.6.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. -1.6.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. -1.6.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. -1.6.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.6.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.6.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. -1.6.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. -1.6.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -1.6.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. -1.6.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. -1.6.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. -1.6.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. -1.6.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. -1.6.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. -1.6.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +1.7.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +1.7.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +1.7.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. +1.7.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +1.7.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +1.7.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +1.7.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +1.7.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +1.7.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +1.7.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +1.7.0-dev,true,client,client.address,keyword,extended,,,Client network address. +1.7.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.7.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.7.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.7.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +1.7.0-dev,true,client,client.domain,keyword,core,,,Client domain. +1.7.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +1.7.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +1.7.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.7.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +1.7.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.7.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.7.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.7.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +1.7.0-dev,true,client,client.ip,ip,core,,,IP address of the client. +1.7.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. +1.7.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +1.7.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port +1.7.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +1.7.0-dev,true,client,client.port,long,core,,,Port of the client. +1.7.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +1.7.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.7.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.7.0-dev,true,client,client.user.email,keyword,extended,,,User email address. +1.7.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.7.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. +1.7.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user. +1.7.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. +1.7.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.7.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +1.7.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +1.7.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. +1.7.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +1.7.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +1.7.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +1.7.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +1.7.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +1.7.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +1.7.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +1.7.0-dev,true,container,container.id,keyword,core,,,Unique container id. +1.7.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +1.7.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. +1.7.0-dev,true,container,container.labels,object,extended,,,Image labels. +1.7.0-dev,true,container,container.name,keyword,extended,,,Container name. +1.7.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +1.7.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. +1.7.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.7.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.7.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.7.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +1.7.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain. +1.7.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +1.7.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +1.7.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.7.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +1.7.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.7.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.7.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.7.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +1.7.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. +1.7.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. +1.7.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +1.7.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +1.7.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +1.7.0-dev,true,destination,destination.port,long,core,,,Port of the destination. +1.7.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +1.7.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.7.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.7.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address. +1.7.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.7.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. +1.7.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user. +1.7.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +1.7.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.7.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.7.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.7.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.7.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.7.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.7.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +1.7.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +1.7.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +1.7.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +1.7.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +1.7.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +1.7.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.7.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.7.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.7.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.7.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.7.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.7.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.7.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. +1.7.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +1.7.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. +1.7.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +1.7.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +1.7.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +1.7.0-dev,true,dns,dns.header_flags,keyword,extended,array,"['RD', 'RA']",Array of DNS header flags. +1.7.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +1.7.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +1.7.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +1.7.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. +1.7.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +1.7.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +1.7.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.7.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +1.7.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"['10.10.10.10', '10.10.10.11']",Array containing all IPs seen in answers.data +1.7.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +1.7.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +1.7.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +1.7.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. +1.7.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. +1.7.0-dev,true,error,error.message,text,core,,,Error message. +1.7.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text. +1.7.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +1.7.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +1.7.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +1.7.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +1.7.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. +1.7.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +1.7.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +1.7.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +1.7.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +1.7.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +1.7.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +1.7.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +1.7.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +1.7.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +1.7.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +1.7.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +1.7.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. +1.7.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +1.7.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +1.7.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +1.7.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +1.7.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. +1.7.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. +1.7.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +1.7.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. +1.7.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +1.7.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +1.7.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. +1.7.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.7.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.7.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.7.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.7.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.7.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.7.0-dev,true,file,file.created,date,extended,,,File creation time. +1.7.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.7.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +1.7.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. +1.7.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.7.0-dev,true,file,file.extension,keyword,extended,,png,File extension. +1.7.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.7.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +1.7.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +1.7.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +1.7.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +1.7.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +1.7.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.7.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +1.7.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.7.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. +1.7.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.7.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. +1.7.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.7.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.7.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.7.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.7.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.7.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.7.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.7.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.7.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.7.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. +1.7.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks. +1.7.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. +1.7.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.7.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.7.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.7.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.7.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.7.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.7.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.7.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.7.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.7.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.7.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.7.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.7.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.7.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.7.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.7.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.7.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.7.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.7.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.7.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.7.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.7.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.7.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.7.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.7.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.7.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +1.7.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,group,group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +1.7.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +1.7.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +1.7.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +1.7.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.7.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +1.7.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.7.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.7.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.7.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +1.7.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host. +1.7.0-dev,true,host,host.id,keyword,core,,,Unique host id. +1.7.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. +1.7.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. +1.7.0-dev,true,host,host.name,keyword,core,,,Name of the host. +1.7.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.7.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.7.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.7.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.7.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.7.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.7.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.7.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.7.0-dev,true,host,host.type,keyword,core,,,Type of host. +1.7.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +1.7.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.7.0-dev,true,host,host.user.email,keyword,extended,,,User email address. +1.7.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.7.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. +1.7.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user. +1.7.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. +1.7.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.7.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +1.7.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body. +1.7.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. +1.7.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +1.7.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. +1.7.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. +1.7.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +1.7.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body. +1.7.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. +1.7.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +1.7.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +1.7.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. +1.7.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +1.7.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. +1.7.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +1.7.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. +1.7.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +1.7.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +1.7.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." +1.7.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata +1.7.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +1.7.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +1.7.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +1.7.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +1.7.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +1.7.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. +1.7.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +1.7.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +1.7.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +1.7.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +1.7.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +1.7.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information +1.7.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.7.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.7.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +1.7.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +1.7.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. +1.7.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +1.7.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +1.7.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.7.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.7.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information +1.7.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +1.7.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +1.7.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +1.7.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.7.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.7.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +1.7.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +1.7.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +1.7.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.7.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +1.7.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.7.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.7.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.7.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +1.7.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +1.7.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information +1.7.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +1.7.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +1.7.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +1.7.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.7.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.7.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +1.7.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +1.7.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer +1.7.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +1.7.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.7.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.7.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.7.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.7.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.7.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.7.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.7.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.7.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +1.7.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +1.7.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +1.7.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +1.7.0-dev,true,observer,observer.version,keyword,core,,,Observer version. +1.7.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +1.7.0-dev,true,organization,organization.name,keyword,extended,,,Organization name. +1.7.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. +1.7.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +1.7.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +1.7.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +1.7.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +1.7.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +1.7.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. +1.7.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +1.7.0-dev,true,package,package.name,keyword,extended,,go,Package name +1.7.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +1.7.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +1.7.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. +1.7.0-dev,true,package,package.type,keyword,extended,,rpm,Package type +1.7.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version +1.7.0-dev,true,process,process.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. +1.7.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. +1.7.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.7.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.7.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.7.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.7.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.7.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.7.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.7.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.7.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.7.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.7.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. +1.7.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +1.7.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +1.7.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +1.7.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +1.7.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. +1.7.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. +1.7.0-dev,true,process,process.parent.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. +1.7.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +1.7.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.7.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.7.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.7.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.7.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.7.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.7.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.7.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.7.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.7.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.7.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +1.7.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +1.7.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +1.7.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +1.7.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +1.7.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name. +1.7.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. +1.7.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.7.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.7.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.7.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.7.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.7.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.7.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.7.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.7.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. +1.7.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. +1.7.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.7.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +1.7.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. +1.7.0-dev,true,process,process.parent.title,keyword,extended,,,Process title. +1.7.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. +1.7.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +1.7.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. +1.7.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.7.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.7.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.7.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.7.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.7.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.7.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.7.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.7.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.7.0-dev,true,process,process.pid,long,core,,4242,Process id. +1.7.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. +1.7.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.7.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. +1.7.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. +1.7.0-dev,true,process,process.title,keyword,extended,,,Process title. +1.7.0-dev,true,process,process.title.text,text,extended,,,Process title. +1.7.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +1.7.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. +1.7.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.7.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.7.0-dev,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.7.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.7.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.7.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.7.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.7.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +1.7.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +1.7.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +1.7.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. +1.7.0-dev,true,rule,rule.author,keyword,extended,array,['Star-Lord'],Rule author +1.7.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +1.7.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +1.7.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID +1.7.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +1.7.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +1.7.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +1.7.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +1.7.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +1.7.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version +1.7.0-dev,true,server,server.address,keyword,extended,,,Server network address. +1.7.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.7.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.7.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.7.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +1.7.0-dev,true,server,server.domain,keyword,core,,,Server domain. +1.7.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +1.7.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +1.7.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.7.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +1.7.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.7.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.7.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.7.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +1.7.0-dev,true,server,server.ip,ip,core,,,IP address of the server. +1.7.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. +1.7.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip +1.7.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port +1.7.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +1.7.0-dev,true,server,server.port,long,core,,,Port of the server. +1.7.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +1.7.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.7.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.7.0-dev,true,server,server.user.email,keyword,extended,,,User email address. +1.7.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.7.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. +1.7.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user. +1.7.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. +1.7.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.7.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +1.7.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +1.7.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +1.7.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +1.7.0-dev,true,service,service.state,keyword,core,,,Current state of the service. +1.7.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +1.7.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. +1.7.0-dev,true,source,source.address,keyword,extended,,,Source network address. +1.7.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.7.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.7.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.7.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +1.7.0-dev,true,source,source.domain,keyword,core,,,Source domain. +1.7.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +1.7.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +1.7.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.7.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +1.7.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.7.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.7.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.7.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +1.7.0-dev,true,source,source.ip,ip,core,,,IP address of the source. +1.7.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. +1.7.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip +1.7.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port +1.7.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +1.7.0-dev,true,source,source.port,long,core,,,Port of the source. +1.7.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +1.7.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.7.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.7.0-dev,true,source,source.user.email,keyword,extended,,,User email address. +1.7.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.7.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. +1.7.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user. +1.7.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. +1.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +1.7.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0040,Threat tactic id. +1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,impact,Threat tactic. +1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0040/,Threat tactic URL reference. +1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1499,Threat technique id. +1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Endpoint Denial of Service,Threat technique name. +1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Endpoint Denial of Service,Threat technique name. +1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1499/,Threat technique URL reference. +1.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +1.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +1.7.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +1.7.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +1.7.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +1.7.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +1.7.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +1.7.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +1.7.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +1.7.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +1.7.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +1.7.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",Array of ciphers offered by the client during the client hello. +1.7.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.7.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.7.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.7.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.7.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.7.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.7.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.7.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.7.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.7.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.7.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.7.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.7.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.7.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.7.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.7.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.7.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.7.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.7.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.7.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.7.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.7.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.7.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.7.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +1.7.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +1.7.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +1.7.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +1.7.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +1.7.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +1.7.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +1.7.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +1.7.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +1.7.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +1.7.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +1.7.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +1.7.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +1.7.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +1.7.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +1.7.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.7.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.7.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.7.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.7.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.7.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.7.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.7.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.7.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.7.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.7.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.7.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.7.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.7.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.7.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.7.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.7.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.7.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.7.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.7.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.7.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.7.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.7.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.7.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +1.7.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +1.7.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +1.7.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +1.7.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +1.7.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. +1.7.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url. +1.7.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +1.7.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.7.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.7.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.7.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.7.0-dev,true,url,url.password,keyword,extended,,,Password of the request. +1.7.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""." +1.7.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +1.7.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. +1.7.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.7.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +1.7.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.7.0-dev,true,url,url.username,keyword,extended,,,Username of the request. +1.7.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.7.0-dev,true,user,user.email,keyword,extended,,,User email address. +1.7.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.7.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. +1.7.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user. +1.7.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. +1.7.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.7.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +1.7.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +1.7.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.7.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.7.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.7.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.7.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.7.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.7.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.7.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.7.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.7.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.7.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +1.7.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +1.7.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +1.7.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.7.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.7.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +1.7.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +1.7.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +1.7.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +1.7.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +1.7.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +1.7.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +1.7.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +1.7.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +1.7.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 45973e04e4..4d2f5c6b90 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -5,7 +5,7 @@ "mappings": { "_doc": { "_meta": { - "version": "1.6.0-dev" + "version": "1.7.0-dev" }, "date_detection": false, "dynamic_templates": [ diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 35c05f8040..30d15c5720 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -4,7 +4,7 @@ ], "mappings": { "_meta": { - "version": "1.6.0-dev" + "version": "1.7.0-dev" }, "date_detection": false, "dynamic_templates": [ diff --git a/version b/version index bcfbf475d5..de023c91b1 100644 --- a/version +++ b/version @@ -1 +1 @@ -1.6.0-dev +1.7.0-dev From 5d134c956e575425d407409c818cab2c025ea49a Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 13 Aug 2020 14:24:32 -0500 Subject: [PATCH 02/90] [1.x] add related.hosts (#913) (#924) --- CHANGELOG.next.md | 1 + code/go/ecs/related.go | 4 ++++ docs/field-details.asciidoc | 16 ++++++++++++++++ generated/beats/fields.ecs.yml | 7 +++++++ generated/csv/fields.csv | 1 + generated/ecs/ecs_flat.yml | 12 ++++++++++++ generated/ecs/ecs_nested.yml | 12 ++++++++++++ generated/elasticsearch/6/template.json | 4 ++++ generated/elasticsearch/7/template.json | 4 ++++ schemas/related.yml | 10 ++++++++++ 10 files changed, 71 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index ae6e775639..9c0144cd0a 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -27,6 +27,7 @@ Thanks, you're awesome :-) --> * Added missing field reuse of `pe` at `process.parent.pe` #868 * Added `span.id` to the tracing fieldset, for additional log correlation (#882) * Added `event.reason` for the reason why an event's outcome or action was taken. #907 +* Added `related.hosts` to capture all hostnames and host identifiers on an event. #913 #### Improvements diff --git a/code/go/ecs/related.go b/code/go/ecs/related.go index 8facf9bcec..22acb9fee2 100644 --- a/code/go/ecs/related.go +++ b/code/go/ecs/related.go @@ -38,4 +38,8 @@ type Related struct { // to search for hashes can help in situations where you're unsure what the // hash algorithm is (and therefore which key name to search). Hash string `ecs:"hash"` + + // All hostnames or other host identifiers seen on your event. Example + // identifiers include FQDNs, domain names, workstation names, or aliases. + Hosts string `ecs:"hosts"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index f9d23b7d47..c0c97dc14e 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -4610,6 +4610,22 @@ Note: this field should contain an array of values. +| extended + +// =============================================================== + +| related.hosts +| All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + + +Note: this field should contain an array of values. + + + + + | extended // =============================================================== diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index d3a48009c1..fe2d9bf05c 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -3819,6 +3819,13 @@ using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). default_field: false + - name: hosts + level: extended + type: keyword + ignore_above: 1024 + description: All hostnames or other host identifiers seen on your event. Example + identifiers include FQDNs, domain names, workstation names, or aliases. + default_field: false - name: ip level: extended type: ip diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index ba520eba06..d8333ba416 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -442,6 +442,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" 1.7.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. 1.7.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +1.7.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. 1.7.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. 1.7.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. 1.7.0-dev,true,rule,rule.author,keyword,extended,array,['Star-Lord'],Rule author diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 8f8d13078f..bf40d50bbc 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -5717,6 +5717,18 @@ related.hash: - array short: All the hashes seen on your event. type: keyword +related.hosts: + dashed_name: related-hosts + description: All hostnames or other host identifiers seen on your event. Example + identifiers include FQDNs, domain names, workstation names, or aliases. + flat_name: related.hosts + ignore_above: 1024 + level: extended + name: hosts + normalize: + - array + short: All the host identifiers seen on your event. + type: keyword related.ip: dashed_name: related-ip description: All of the IPs seen on your event. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 427dcbbbf7..fe594745d0 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -6807,6 +6807,18 @@ related: - array short: All the hashes seen on your event. type: keyword + related.hosts: + dashed_name: related-hosts + description: All hostnames or other host identifiers seen on your event. Example + identifiers include FQDNs, domain names, workstation names, or aliases. + flat_name: related.hosts + ignore_above: 1024 + level: extended + name: hosts + normalize: + - array + short: All the host identifiers seen on your event. + type: keyword related.ip: dashed_name: related-ip description: All of the IPs seen on your event. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 4d2f5c6b90..dcfc5f0c16 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -2093,6 +2093,10 @@ "ignore_above": 1024, "type": "keyword" }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 30d15c5720..4a73281b43 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -2092,6 +2092,10 @@ "ignore_above": 1024, "type": "keyword" }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/schemas/related.yml b/schemas/related.yml index fd68c8b74f..5e53009475 100644 --- a/schemas/related.yml +++ b/schemas/related.yml @@ -43,3 +43,13 @@ the hash algorithm is (and therefore which key name to search). normalize: - array + + - name: hosts + level: extended + type: keyword + short: All the host identifiers seen on your event. + description: > + All hostnames or other host identifiers seen on your event. Example + identifiers include FQDNs, domain names, workstation names, or aliases. + normalize: + - array From 64ea560801e509d78c1ab1ee6aa6cd68daf69947 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 18 Aug 2020 09:56:03 -0400 Subject: [PATCH 03/90] [1.x][DOCS] Fixes SIEM links (#936) --- docs/products-solutions.asciidoc | 6 +++--- docs/using-getting-started.asciidoc | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/products-solutions.asciidoc b/docs/products-solutions.asciidoc index 4b0a2cf4ef..a8fca573cd 100644 --- a/docs/products-solutions.asciidoc +++ b/docs/products-solutions.asciidoc @@ -5,11 +5,11 @@ The following Elastic products support ECS out of the box, as of version 7.0: * {beats-ref}/beats-reference.html[{beats}] * {apm-get-started-ref}/overview.html[APM] -* {siem-guide}/siem-overview.html[Elastic SIEM app] -** {siem-guide}/siem-field-reference.html[SIEM Field Reference Guide] - a list of ECS fields used in the SIEM app +* {security-guide}/es-overview.html[Elastic Security] +** {security-guide}/siem-field-reference.html[Elastic Security Field Reference] - a list of ECS fields used in the SIEM app * https://www.elastic.co/products/endpoint-security[Elastic Endpoint Security Server] -* {logs-guide}/logs-app-overview.html[Logs app] +* {logs-guide}/logs-app-overview.html[Logs Monitoring] * Log formatters that support ECS out of the box for various languages can be found https://github.com/elastic/ecs-logging/blob/master/README.md[here]. diff --git a/docs/using-getting-started.asciidoc b/docs/using-getting-started.asciidoc index 8b71d14126..8e322d7428 100644 --- a/docs/using-getting-started.asciidoc +++ b/docs/using-getting-started.asciidoc @@ -285,5 +285,5 @@ Here are some examples of additional fields processed by metadata or parser proc We've covered at a high level how to map your events to ECS. Now if you'd like your events to render well in the Elastic solutions, check out the reference guides below to learn more about each: -* https://www.elastic.co/guide/en/logs/guide/current/logs-fields-reference.html[Logs UI fields reference] -* https://www.elastic.co/guide/en/security/master/siem-field-reference.html[Elastic Security fields reference] +* {logs-guide}/logs-fields-reference.html[Logs Monitoring Field Reference] +* {security-guide}/siem-field-reference.html[Elastic Security Field Reference] From ab227b34fe72519519e16e94e8cf5fc10b7be80e Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 20 Aug 2020 12:54:28 -0500 Subject: [PATCH 04/90] [1.x] Consolidate field-details doc template (#897) (#946) --- CHANGELOG.next.md | 1 + docs/field-details.asciidoc | 2 +- scripts/generators/asciidoc_fields.py | 270 ++++++------------ scripts/templates/field_details.j2 | 113 ++++++++ .../field_details/acceptable_value_names.j2 | 8 - .../field_details/field_reuse_section.j2 | 6 - .../templates/field_details/nestings_row.j2 | 7 - .../field_details/nestings_table_header.j2 | 11 - scripts/templates/field_details/row.j2 | 14 - .../templates/field_details/table_header.j2 | 14 - ...eld_values_template.j2 => field_values.j2} | 0 .../{fields_template.j2 => fields.j2} | 0 scripts/tests/test_asciidoc_fields.py | 132 +++++++++ 13 files changed, 327 insertions(+), 251 deletions(-) create mode 100644 scripts/templates/field_details.j2 delete mode 100644 scripts/templates/field_details/acceptable_value_names.j2 delete mode 100644 scripts/templates/field_details/field_reuse_section.j2 delete mode 100644 scripts/templates/field_details/nestings_row.j2 delete mode 100644 scripts/templates/field_details/nestings_table_header.j2 delete mode 100644 scripts/templates/field_details/row.j2 delete mode 100644 scripts/templates/field_details/table_header.j2 rename scripts/templates/{field_values_template.j2 => field_values.j2} (100%) rename scripts/templates/{fields_template.j2 => fields.j2} (100%) create mode 100644 scripts/tests/test_asciidoc_fields.py diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 9c0144cd0a..30bf294951 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -104,6 +104,7 @@ Thanks, you're awesome :-) --> * Jinja2 templates now define the doc structure for the AsciiDoc generator. #865 * Intermediate `ecs_flat.yml` and `ecs_nested.yml` files are now generated for each individual subset, in addition to the intermediate files generated for the combined subset. #873 +* Field details Jinja2 template components have been consolidated into one template #897 #### Deprecated diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index c0c97dc14e..d6f3236892 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1,4 +1,3 @@ - [[ecs-base]] === Base Fields @@ -7085,3 +7084,4 @@ Note also that the `x509` fields are not expected to be used directly at the roo + diff --git a/scripts/generators/asciidoc_fields.py b/scripts/generators/asciidoc_fields.py index c25d7b8162..2aa6f4a8cd 100644 --- a/scripts/generators/asciidoc_fields.py +++ b/scripts/generators/asciidoc_fields.py @@ -5,11 +5,6 @@ from generators import ecs_helpers -# jinja2 setup -TEMPLATE_DIR = path.join(path.dirname(path.abspath(__file__)), '../templates') -template_loader = jinja2.FileSystemLoader(searchpath=TEMPLATE_DIR) -template_env = jinja2.Environment(loader=template_loader) - def generate(nested, ecs_version, out_dir): save_asciidoc(path.join(out_dir, 'fields.asciidoc'), page_field_index(nested, ecs_version)) @@ -19,6 +14,64 @@ def generate(nested, ecs_version, out_dir): # Helpers +def render_fieldset_reuse_text(fieldset): + """Renders the expected nesting locations + if the the `reusable` object is present. + + :param fieldset: The fieldset to evaluate + """ + if not fieldset.get('reusable'): + return None + reusable_fields = fieldset['reusable']['expected'] + sorted_fields = sorted(reusable_fields, key=lambda k: k['full']) + return map(lambda f: f['full'], sorted_fields) + + +def render_nestings_reuse_section(fieldset): + """Renders the reuse section entries. + + :param fieldset: The target fieldset + """ + if not fieldset.get('reused_here'): + return None + rows = [] + for reused_here_entry in fieldset['reused_here']: + rows.append({ + 'flat_nesting': "{}.*".format(reused_here_entry['full']), + 'name': reused_here_entry['schema_name'], + 'short': reused_here_entry['short'] + }) + + return sorted(rows, key=lambda x: x['flat_nesting']) + + +def extract_allowed_values_key_names(field): + """Extracts the `name` keys from the field's + allowed_values if present in the field + object. + + :param field: The target field + """ + if not field.get('allowed_values'): + return [] + return ecs_helpers.list_extract_keys(field['allowed_values'], 'name') + + +def sort_fields(fieldset): + """Prepares a fieldset's fields for being + passed into the j2 template for rendering. This + includes sorting them into a list of objects and + adding a field for the names of any allowed values + for the field, if present. + + :param fieldset: The target fieldset + """ + fields_list = list(fieldset['fields'].values()) + for field in fields_list: + field['allowed_value_names'] = extract_allowed_values_key_names(field) + return sorted(fields_list, key=lambda field: field['name']) + + def templated(template_name): """Decorator function to simplify rendering a template. @@ -53,12 +106,19 @@ def save_asciidoc(f, text): with open(f, "w") as outfile: outfile.write(text) +# jinja2 setup + + +TEMPLATE_DIR = path.join(path.dirname(path.abspath(__file__)), '../templates') +template_loader = jinja2.FileSystemLoader(searchpath=TEMPLATE_DIR) +template_env = jinja2.Environment(loader=template_loader) # Rendering schemas # Field Index -@templated('fields_template.j2') + +@templated('fields.j2') def page_field_index(nested, ecs_version): fieldsets = ecs_helpers.dict_sorted_by_keys(nested, ['group', 'name']) return dict(ecs_version=ecs_version, fieldsets=fieldsets) @@ -66,197 +126,27 @@ def page_field_index(nested, ecs_version): # Field Details Page - def page_field_details(nested): - page_text = '' - for fieldset in ecs_helpers.dict_sorted_by_keys(nested, ['group', 'name']): - page_text += render_fieldset(fieldset, nested) - return page_text - - -def render_fieldset(fieldset, nested): - text = field_details_table_header( - title=fieldset['title'], - name=fieldset['name'], - description=fieldset['description'] - ) - - text += render_fields(fieldset['fields']) - - text += table_footer() - - text += render_fieldset_reuse_section(fieldset, nested) - - return text - - -def render_fields(fields): - text = '' - for _, field in sorted(fields.items()): - # Skip fields nested in this field set - if 'original_fieldset' not in field: - text += render_field_details_row(field) - return text - - -def render_field_allowed_values(field): - if not 'allowed_values' in field: - return '' - allowed_values = ', '.join(ecs_helpers.list_extract_keys(field['allowed_values'], 'name')) - - return field_acceptable_value_names( - allowed_values=allowed_values, - flat_name=field['flat_name'], - dashed_name=field['dashed_name'] - ) - - -def render_field_details_row(field): - example = '' - if 'allowed_values' in field: - example = render_field_allowed_values(field) - elif 'example' in field: - example = "example: `{}`".format(str(field['example'])) - - field_type_with_mf = field['type'] - if 'multi_fields' in field: - field_type_with_mf += "\n\nMulti-fields:\n\n" - for mf in field['multi_fields']: - field_type_with_mf += "* {} (type: {})\n\n".format(mf['flat_name'], mf['type']) - - field_normalization = '' - if 'array' in field['normalize']: - field_normalization = "\nNote: this field should contain an array of values.\n\n" - - text = field_details_row( - flat_name=field['flat_name'], - description=field['description'], - field_type=field_type_with_mf, - example=example, - normalization=field_normalization, - level=field['level'] - ) - - return text - - -def render_fieldset_reuse_section(fieldset, nested): - '''Render the section on where field set can be nested, and which field sets can be nested here''' - if not ('nestings' in fieldset or 'reusable' in fieldset): - return '' - - text = field_reuse_section( - reuse_of_fieldset=render_fieldset_reuses_text(fieldset) - ) - - if 'nestings' in fieldset: - text += nestings_table_header( - name=fieldset['name'], - title=fieldset['title'] - ) - rows = [] - for reused_here_entry in fieldset['reused_here']: - rows.append({ - 'flat_nesting': "{}.*".format(reused_here_entry['full']), - 'name': reused_here_entry['schema_name'], - 'short': reused_here_entry['short'] - }) - - for row in sorted(rows, key=lambda x: x['flat_nesting']): - text += nestings_row( - nesting_name=row['name'], - flat_nesting=row['flat_nesting'], - nesting_short=row['short'] - ) - - text += table_footer() - return text - - -def render_fieldset_reuses_text(fieldset): - '''Render where a given field set is expected to be reused''' - if 'reusable' not in fieldset: - return '' - - section_name = fieldset['name'] - sorted_fields = sorted(fieldset['reusable']['expected'], key=lambda k: k['full']) - rendered_fields = map(lambda f: "`{}`".format(f['full']), sorted_fields) - text = "The `{}` fields are expected to be nested at: {}.\n\n".format( - section_name, ', '.join(rendered_fields)) - - if 'top_level' in fieldset['reusable'] and fieldset['reusable']['top_level']: - template = "Note also that the `{}` fields may be used directly at the root of the events.\n\n" - else: - template = "Note also that the `{}` fields are not expected to " + \ - "be used directly at the root of the events.\n\n" - text += template.format(section_name) - return text - - -# Templates - -def table_footer(): - return ''' -|===== -''' - -# Field Details Page - -# Main Fields Table - - -@templated('field_details/table_header.j2') -def field_details_table_header(title, name, description): - return dict(name=name, title=title, description=description) - - -@templated('field_details/row.j2') -def field_details_row(flat_name, description, field_type, normalization, example, level): - return dict( - flat_name=flat_name, - description=description, - field_type=field_type, - normalization=normalization, - example=example, - level=level - ) - - -@templated('field_details/acceptable_value_names.j2') -def field_acceptable_value_names(allowed_values, dashed_name, flat_name): - return dict( - allowed_values=allowed_values, - dashed_name=dashed_name, - flat_name=flat_name - ) - - -# Field reuse - -@templated('field_details/field_reuse_section.j2') -def field_reuse_section(reuse_of_fieldset): - return dict(reuse_of_fieldset=reuse_of_fieldset) - - -# Nestings table - -@templated('field_details/nestings_table_header.j2') -def nestings_table_header(name, title): - return dict(name=name, title=title) + fieldsets = ecs_helpers.dict_sorted_by_keys(nested, ['group', 'name']) + results = (generate_field_details_page(fieldset) for fieldset in fieldsets) + return ''.join(results) -@templated('field_details/nestings_row.j2') -def nestings_row(nesting_name, flat_nesting, nesting_short): - return dict( - nesting_name=nesting_name, - flat_nesting=flat_nesting, - nesting_short=nesting_short - ) +@templated('field_details.j2') +def generate_field_details_page(fieldset): + # render field reuse text section + sorted_reuse_fields = render_fieldset_reuse_text(fieldset) + render_nestings_reuse_fields = render_nestings_reuse_section(fieldset) + sorted_fields = sort_fields(fieldset) + return dict(fieldset=fieldset, + sorted_reuse_fields=sorted_reuse_fields, + render_nestings_reuse_section=render_nestings_reuse_fields, + sorted_fields=sorted_fields) # Allowed values section -@templated('field_values_template.j2') +@templated('field_values.j2') def page_field_values(nested, template_name='field_values_template.j2'): category_fields = ['event.kind', 'event.category', 'event.type', 'event.outcome'] nested_fields = [] diff --git a/scripts/templates/field_details.j2 b/scripts/templates/field_details.j2 new file mode 100644 index 0000000000..0b1bb6e224 --- /dev/null +++ b/scripts/templates/field_details.j2 @@ -0,0 +1,113 @@ +{# Title & Description -#} +[[ecs-{{ fieldset['name'] }}]] +=== {{ fieldset['title'] }} Fields + +{{ fieldset['description']|replace("\n", "\n\n") }} + +{# Field Details Table Header -#} +==== {{ fieldset['title'] }} Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +{# Iterate through each field in the set -#} +{% for field in sorted_fields -%} +{% if 'original_fieldset' not in field -%} + +{# `Field` column -#} +| {{ field['flat_name'] }} +{# `Description` column -#} +| {{ field['description']|replace("\n", "\n\n") }} + +type: {{ field['type'] }} + +{% if 'multi_fields' in field -%} + +Multi-fields: + +{% for mf in field['multi_fields'] -%} + +* {{ mf['flat_name'] }} (type: {{ mf ['type'] }}) + + +{% endfor %}{# for mf #} +{% endif %}{# if 'multi_fields' #} +{% if 'array' in field['normalize'] -%} + +Note: this field should contain an array of values. + + +{% endif %} +{% if 'allowed_values' in field %} +*Important*: The field value must be one of the following: + +{{ field['allowed_value_names']|join(', ') }} + +To learn more about when to use which value, visit the page +<> +{% elif 'example' in field -%} + +example: `{{ field['example'] }}` + +{%- endif %}{# if 'allowed_values' elif 'example' #} + +{# `Level` column -#} +| {{ field['level'] }} + +// =============================================================== + +{% endif %}{# if 'original_fieldset' -#} +{% endfor %}{# for 'field' -#} + +|===== + +{# do we have `nestings` or `reusable` sections to worry about? -#} +{% if 'nestings' in fieldset or 'reusable' in fieldset -%} + +==== Field Reuse + +{% if 'reusable' in fieldset -%} + +The `{{ fieldset['name'] }}` fields are expected to be nested at: `{{ sorted_reuse_fields|join("`, `") }}`. + +{% if 'top_level' in fieldset['reusable'] and fieldset['reusable']['top_level'] -%} + +Note also that the `{{ fieldset['name'] }}` fields may be used directly at the root of the events. + +{% else -%} + +Note also that the `{{ fieldset['name'] }}` fields are not expected to be used directly at the root of the events. + +{% endif %}{# if 'top_level' -#} +{% endif %}{# if 'reusable' #} + + +{% if 'nestings' in fieldset -%} + +[[ecs-{{ fieldset['name'] }}-nestings]] +===== Field sets that can be nested under {{ fieldset['title'] }} + +[options="header"] +|===== +| Nested fields | Description + +// =============================================================== + + +{% for entry in render_nestings_reuse_section -%} + +| <> +| {{ entry['short'] }} + +// =============================================================== + + +{% endfor -%} + +|===== + +{% endif %}{# if 'nestings' #} +{%- endif %}{# if 'nestings' or 'reusable' in fieldset #} diff --git a/scripts/templates/field_details/acceptable_value_names.j2 b/scripts/templates/field_details/acceptable_value_names.j2 deleted file mode 100644 index 6080445742..0000000000 --- a/scripts/templates/field_details/acceptable_value_names.j2 +++ /dev/null @@ -1,8 +0,0 @@ - -*Important*: The field value must be one of the following: - -{{ allowed_values }} - -To learn more about when to use which value, visit the page -<> - diff --git a/scripts/templates/field_details/field_reuse_section.j2 b/scripts/templates/field_details/field_reuse_section.j2 deleted file mode 100644 index 37aa7ded45..0000000000 --- a/scripts/templates/field_details/field_reuse_section.j2 +++ /dev/null @@ -1,6 +0,0 @@ - -==== Field Reuse - -{{ reuse_of_fieldset }} - - diff --git a/scripts/templates/field_details/nestings_row.j2 b/scripts/templates/field_details/nestings_row.j2 deleted file mode 100644 index 826af848bb..0000000000 --- a/scripts/templates/field_details/nestings_row.j2 +++ /dev/null @@ -1,7 +0,0 @@ - -| <> -| {{ nesting_short }} - -// =============================================================== - - diff --git a/scripts/templates/field_details/nestings_table_header.j2 b/scripts/templates/field_details/nestings_table_header.j2 deleted file mode 100644 index 2ef25791d9..0000000000 --- a/scripts/templates/field_details/nestings_table_header.j2 +++ /dev/null @@ -1,11 +0,0 @@ - -[[ecs-{{ name }}-nestings]] -===== Field sets that can be nested under {{ title }} - -[options="header"] -|===== -| Nested fields | Description - -// =============================================================== - - diff --git a/scripts/templates/field_details/row.j2 b/scripts/templates/field_details/row.j2 deleted file mode 100644 index 90e2c8877f..0000000000 --- a/scripts/templates/field_details/row.j2 +++ /dev/null @@ -1,14 +0,0 @@ - -| {{ flat_name }} -| {{ description|replace("\n", "\n\n") }} - -type: {{ field_type }} - -{{ normalization }} - -{{ example }} - -| {{ level }} - -// =============================================================== - diff --git a/scripts/templates/field_details/table_header.j2 b/scripts/templates/field_details/table_header.j2 deleted file mode 100644 index 4496e8e768..0000000000 --- a/scripts/templates/field_details/table_header.j2 +++ /dev/null @@ -1,14 +0,0 @@ - -[[ecs-{{ name }}]] -=== {{ title }} Fields - -{{ description|replace("\n", "\n\n") }} - -==== {{ title }} Field Details - -[options="header"] -|===== -| Field | Description | Level - -// =============================================================== - diff --git a/scripts/templates/field_values_template.j2 b/scripts/templates/field_values.j2 similarity index 100% rename from scripts/templates/field_values_template.j2 rename to scripts/templates/field_values.j2 diff --git a/scripts/templates/fields_template.j2 b/scripts/templates/fields.j2 similarity index 100% rename from scripts/templates/fields_template.j2 rename to scripts/templates/fields.j2 diff --git a/scripts/tests/test_asciidoc_fields.py b/scripts/tests/test_asciidoc_fields.py new file mode 100644 index 0000000000..1a099a9958 --- /dev/null +++ b/scripts/tests/test_asciidoc_fields.py @@ -0,0 +1,132 @@ +import os +import sys +import unittest + +sys.path.append(os.path.join(os.path.dirname(__file__), '..')) + +from scripts.generators import asciidoc_fields +from scripts.generators import intermediate_files +from scripts.schema import cleaner +from scripts.schema import loader +from scripts.schema import finalizer + + +class TestGeneratorsAsciiFields(unittest.TestCase): + + def setUp(self): + self.foo_fieldset = self.dummy_fieldset() + + def dummy_fieldset(self): + return { + 'description': 'foo', + 'fields': { + 'foo.type': { + 'dashed_name': 'foo-type', + 'description': 'describes the foo', + 'example': '2016-05-23T08:05:34.853Z', + 'flat_name': 'foo.type', + 'level': 'core', + 'name': 'type', + 'normalize': ['array'], + 'short': 'describes the foo', + 'ignore_above': 1024, + 'type': 'keyword', + 'allowed_values': [{ + 'description': 'fluffy foo', + 'name': 'fluffy', + }, + { + 'description': 'coarse foo', + 'name': 'coarse', + } + ] + }, + 'foo.id': { + 'dashed_name': 'foo-id', + 'description': 'Unique ID of the foo.', + 'example': 'foo123', + 'flat_name': 'foo.id', + 'ignore_above': 1024, + 'level': 'core', + 'name': 'id', + 'normalize': [], + 'short': 'Unique ID of the foo.', + 'type': 'keyword' + } + }, + 'reusable': { + 'expected': [ + { + 'as': 'foo', + 'at': 'server', + 'full': 'server.foo' + }, + { + 'as': 'foo', + 'at': 'source', + 'full': 'source.foo' + }, + { + 'as': 'foo', + 'at': 'client', + 'full': 'client.foo', + }, + { + 'as': 'foo', + 'at': 'destination', + 'full': 'destination.foo' + } + ], + 'top_level': False, + }, + 'reused_here': [ + { + 'full': 'foo.as', + 'schema_name': 'as', + 'short': 'Fields describing an AS' + } + ], + 'group': 2, + 'name': 'foo', + 'prefix': 'foo.', + 'short': 'Foo fields', + 'title': 'Foo', + 'type': 'group' + } + + def test_validate_sort_fieldset(self): + sorted_foo_fields = asciidoc_fields.sort_fields(self.foo_fieldset) + #import pdb;pdb.set_trace() + self.assertIsInstance(sorted_foo_fields, list) + + # `allowed_value_names` always present + for field in sorted_foo_fields: + self.assertIsInstance(field.get('allowed_value_names'), list) + + self.assertFalse(sorted_foo_fields[0]['allowed_value_names']) + self.assertEqual('id', sorted_foo_fields[0]['name']) + self.assertEqual('type', sorted_foo_fields[1]['name']) + self.assertIn('fluffy', sorted_foo_fields[1]['allowed_value_names']) + self.assertIn('coarse', sorted_foo_fields[1]['allowed_value_names']) + + def test_rendering_fieldset_reuse(self): + foo_reuse_fields = asciidoc_fields.render_fieldset_reuse_text(self.foo_fieldset) + expected_sorted_reuse_fields = ( + 'client.foo', + 'destination.foo', + 'server.foo', + 'source.foo' + ) + + self.assertEqual(expected_sorted_reuse_fields, tuple(foo_reuse_fields)) + + def test_rendering_fieldset_nesting(self): + foo_nesting_fields = asciidoc_fields.render_nestings_reuse_section(self.foo_fieldset) + self.assertIsInstance(foo_nesting_fields, list) + self.assertEqual('foo.as.*', foo_nesting_fields[0]['flat_nesting']) + self.assertEqual('as', foo_nesting_fields[0]['name']) + self.assertEqual('Fields describing an AS', foo_nesting_fields[0]['short']) + + +if __name__ == '__main__': + unittest.main() From e106899932c7ead39b46c2d9b4cca82144ec766f Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Mon, 24 Aug 2020 08:19:13 -0400 Subject: [PATCH 05/90] Add http.[request|response].mime_type (#944) (#949) --- CHANGELOG.next.md | 1 + code/go/ecs/http.go | 14 +++++++++++ docs/field-details.asciidoc | 30 +++++++++++++++++++++++ generated/beats/fields.ecs.yml | 24 +++++++++++++++++++ generated/csv/fields.csv | 2 ++ generated/ecs/ecs_flat.yml | 30 +++++++++++++++++++++++ generated/ecs/ecs_nested.yml | 32 +++++++++++++++++++++++++ generated/elasticsearch/6/template.json | 8 +++++++ generated/elasticsearch/7/template.json | 8 +++++++ schemas/http.yml | 28 ++++++++++++++++++++++ 10 files changed, 177 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 30bf294951..a3e479ca12 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -28,6 +28,7 @@ Thanks, you're awesome :-) --> * Added `span.id` to the tracing fieldset, for additional log correlation (#882) * Added `event.reason` for the reason why an event's outcome or action was taken. #907 * Added `related.hosts` to capture all hostnames and host identifiers on an event. #913 +* Added Mime Type fields to HTTP request and response. #944 #### Improvements diff --git a/code/go/ecs/http.go b/code/go/ecs/http.go index 678df098b9..9abb112274 100644 --- a/code/go/ecs/http.go +++ b/code/go/ecs/http.go @@ -30,6 +30,13 @@ type Http struct { // mandated in ECS 2.0.0 RequestMethod string `ecs:"request.method"` + // Mime type of the body of the request. + // This value must only be populated based on the content of the request + // body, not on the `Content-Type` header. Comparing the mime type of a + // request with the request's Content-Type header can be helpful in + // detecting threats or misconfigured clients. + RequestMimeType string `ecs:"request.mime_type"` + // The full HTTP request body. RequestBodyContent string `ecs:"request.body.content"` @@ -39,6 +46,13 @@ type Http struct { // HTTP response status code. ResponseStatusCode int64 `ecs:"response.status_code"` + // Mime type of the body of the response. + // This value must only be populated based on the content of the response + // body, not on the `Content-Type` header. Comparing the mime type of a + // response with the response's Content-Type header can be helpful in + // detecting misconfigured servers. + ResponseMimeType string `ecs:"response.mime_type"` + // The full HTTP response body. ResponseBodyContent string `ecs:"response.body.content"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index d6f3236892..3e38c16c45 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -2836,6 +2836,21 @@ example: `GET, POST, PUT, PoST` // =============================================================== +| http.request.mime_type +| Mime type of the body of the request. + +This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. + +type: keyword + + + +example: `image/gif` + +| extended + +// =============================================================== + | http.request.referrer | Referrer for this HTTP request. @@ -2894,6 +2909,21 @@ example: `1437` // =============================================================== +| http.response.mime_type +| Mime type of the body of the response. + +This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. + +type: keyword + + + +example: `image/gif` + +| extended + +// =============================================================== + | http.response.status_code | HTTP response status code. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index fe2d9bf05c..28c195fff2 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2317,6 +2317,18 @@ method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' example: GET, POST, PUT, PoST + - name: request.mime_type + level: extended + type: keyword + ignore_above: 1024 + description: 'Mime type of the body of the request. + + This value must only be populated based on the content of the request body, + not on the `Content-Type` header. Comparing the mime type of a request with + the request''s Content-Type header can be helpful in detecting threats or + misconfigured clients.' + example: image/gif + default_field: false - name: request.referrer level: extended type: keyword @@ -2346,6 +2358,18 @@ format: bytes description: Total size in bytes of the response (body and headers). example: 1437 + - name: response.mime_type + level: extended + type: keyword + ignore_above: 1024 + description: 'Mime type of the body of the response. + + This value must only be populated based on the content of the response body, + not on the `Content-Type` header. Comparing the mime type of a response with + the response''s Content-Type header can be helpful in detecting misconfigured + servers.' + example: image/gif + default_field: false - name: response.status_code level: extended type: long diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index d8333ba416..9487929101 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -269,11 +269,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. 1.7.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). 1.7.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. +1.7.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. 1.7.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. 1.7.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. 1.7.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body. 1.7.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. 1.7.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +1.7.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. 1.7.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. 1.7.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. 1.7.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index bf40d50bbc..f8110a362b 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3617,6 +3617,21 @@ http.request.method: normalize: [] short: HTTP request method. type: keyword +http.request.mime_type: + dashed_name: http-request-mime-type + description: 'Mime type of the body of the request. + + This value must only be populated based on the content of the request body, not + on the `Content-Type` header. Comparing the mime type of a request with the request''s + Content-Type header can be helpful in detecting threats or misconfigured clients.' + example: image/gif + flat_name: http.request.mime_type + ignore_above: 1024 + level: extended + name: request.mime_type + normalize: [] + short: Mime type of the body of the request. + type: keyword http.request.referrer: dashed_name: http-request-referrer description: Referrer for this HTTP request. @@ -3666,6 +3681,21 @@ http.response.bytes: normalize: [] short: Total size in bytes of the response (body and headers). type: long +http.response.mime_type: + dashed_name: http-response-mime-type + description: 'Mime type of the body of the response. + + This value must only be populated based on the content of the response body, not + on the `Content-Type` header. Comparing the mime type of a response with the response''s + Content-Type header can be helpful in detecting misconfigured servers.' + example: image/gif + flat_name: http.response.mime_type + ignore_above: 1024 + level: extended + name: response.mime_type + normalize: [] + short: Mime type of the body of the response. + type: keyword http.response.status_code: dashed_name: http-response-status-code description: HTTP response status code. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index fe594745d0..13b273fcfb 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4302,6 +4302,22 @@ http: normalize: [] short: HTTP request method. type: keyword + http.request.mime_type: + dashed_name: http-request-mime-type + description: 'Mime type of the body of the request. + + This value must only be populated based on the content of the request body, + not on the `Content-Type` header. Comparing the mime type of a request with + the request''s Content-Type header can be helpful in detecting threats or + misconfigured clients.' + example: image/gif + flat_name: http.request.mime_type + ignore_above: 1024 + level: extended + name: request.mime_type + normalize: [] + short: Mime type of the body of the request. + type: keyword http.request.referrer: dashed_name: http-request-referrer description: Referrer for this HTTP request. @@ -4351,6 +4367,22 @@ http: normalize: [] short: Total size in bytes of the response (body and headers). type: long + http.response.mime_type: + dashed_name: http-response-mime-type + description: 'Mime type of the body of the response. + + This value must only be populated based on the content of the response body, + not on the `Content-Type` header. Comparing the mime type of a response with + the response''s Content-Type header can be helpful in detecting misconfigured + servers.' + example: image/gif + flat_name: http.response.mime_type + ignore_above: 1024 + level: extended + name: response.mime_type + normalize: [] + short: Mime type of the body of the response. + type: keyword http.response.status_code: dashed_name: http-response-status-code description: HTTP response status code. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index dcfc5f0c16..6f98745d9b 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1262,6 +1262,10 @@ "ignore_above": 1024, "type": "keyword" }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, "referrer": { "ignore_above": 1024, "type": "keyword" @@ -1290,6 +1294,10 @@ "bytes": { "type": "long" }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, "status_code": { "type": "long" } diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 4a73281b43..177889f92d 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1261,6 +1261,10 @@ "ignore_above": 1024, "type": "keyword" }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, "referrer": { "ignore_above": 1024, "type": "keyword" @@ -1289,6 +1293,10 @@ "bytes": { "type": "long" }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, "status_code": { "type": "long" } diff --git a/schemas/http.yml b/schemas/http.yml index efeae921b3..9002408cab 100644 --- a/schemas/http.yml +++ b/schemas/http.yml @@ -26,6 +26,20 @@ example: GET, POST, PUT, PoST + - name: request.mime_type + level: extended + type: keyword + short: Mime type of the body of the request. + description: > + Mime type of the body of the request. + + This value must only be populated based on the content of the request + body, not on the `Content-Type` header. Comparing the mime type of a + request with the request's Content-Type header can be helpful in detecting + threats or misconfigured clients. + + example: image/gif + - name: request.body.content level: extended type: keyword @@ -51,6 +65,20 @@ HTTP response status code. example: 404 + - name: response.mime_type + level: extended + type: keyword + short: Mime type of the body of the response. + description: > + Mime type of the body of the response. + + This value must only be populated based on the content of the response + body, not on the `Content-Type` header. Comparing the mime type of a + response with the response's Content-Type header can be helpful in detecting + misconfigured servers. + + example: image/gif + - name: response.body.content level: extended type: keyword From 4b6742b835a5c50711fc58a63c7d9a09fed725aa Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 25 Aug 2020 14:56:30 -0500 Subject: [PATCH 06/90] [1.x] Cut 1.6 Changelog (#933) (#952) (#953) Co-authored-by: Mathieu Martin --- CHANGELOG.md | 97 +++++++++++++++++++++++++++++++++++++++++++++++ CHANGELOG.next.md | 73 ----------------------------------- 2 files changed, 97 insertions(+), 73 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5510520c9f..0b6a774967 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,103 @@ # CHANGELOG All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/). +## [1.6.0](https://github.com/elastic/ecs/compare/v1.5.0...v1.6.0) + +### Schema Changes + +#### Bugfixes + +* Field `registry.data.strings` should have been marked as an array field. #790 + +#### Added + +* Added `x509.*` field set. #762 +* Add architecture and imphash for PE field set. #763 +* Added `agent.build.*` for extended agent version information. #764 +* Added `log.file.path` to capture the log file an event came from. #802 +* Added more account and project cloud metadata. #816 +* Added missing field reuse of `pe` at `process.parent.pe` #868 +* Added `span.id` to the tracing fieldset, for additional log correlation #882 +* Added `event.reason` for the reason why an event's outcome or action was taken. #907 +* Added `user.roles` to capture a list of role names that apply to the user. #917 + +#### Improvements + +* Removed misleading pluralization in the description of `user.id`, it should + contain one ID, not many. #801 +* Clarified misleading wording about multiple IPs in src/dst or cli/srv. #804 +* Improved verbiage about the MITRE ATT&CK® framework. #866 +* Removed the default `object_type=keyword` that was being applied to `object` fields. + This attribute is Beats-specific. It's still supported, but needs to be set explicitly + on a case by case basis now. This default being removed affects `dns.answers`, + `log.syslog`, `network.inner`, `observer.egress`, and `observer.ingress`. #871 +* Improved attribute `dashed_name` in `generated/ecs/*.yml` to also + replace `@` with `-`. #871 +* Updated several URLs in the documentation with "example.com" domain. #910 + +#### Deprecated + +* Deprecate guidance to lowercase `http.request.method` #840 + + +### Tooling and Artifact Changes + +#### Breaking changes + +* Removed field definitions at the root of documents for fieldsets that + had `reusable.top_level:false`. This PR affects `ecs_flat.yml`, the csv file + and the sample Elasticsearch templates. #495, #813 +* Removed the `order` attribute from the `ecs_nested.yml` and `ecs_flat.yml` files. #811 +* In `ecs_nested.yml`, the array of strings that used to be in `reusable.expected` + has been replaced by an array of objects with 3 keys: 'as', 'at' and 'full'. #864 +* The subset format now requires `name` and `fields` keys at the top level. #873 + +#### Bugfixes + +* Subsets are created after duplicating reusable fields now so subsets can + be applied to each reused instance independently. #753 +* Quoted the example for `labels` to avoid YAML interpreting it, and having + slightly different results in different situations. #782 +* Fix incorrect listing of where field sets are nested in asciidoc, + when they are nested deep. #784 +* Allow beats output to be generated when using `--include` or `--subset` flags. #814 +* Field parameter `index` is now correctly populated in the Beats field definition file. #824 + +#### Improvements + +* Add support for reusing official fieldsets in custom schemas. #751 +* Add full path names to reused fieldsets in `nestings` array in `ecs_nested.yml`. #803 +* Allow shorthand notation for including all subfields in subsets. #805 +* Add support for Elasticsearch `enabled` field parameter. #824 +* Add `ref` option to generator allowing schemas to be built for a specific ECS version. #851 +* Add `template-settings` and `mapping-settings` options to allow override of defaults in generated ES templates. #856 +* When overriding ECS field sets via the `--include` flag, it's no longer necessary + to duplicate the field set's mandatory attributes. The customizations are merged + before validation. #864 +* Add ability to nest field sets as another name. #864 +* Add ability to nest field sets within themselves (e.g. `process` => `process.parent`). #864 +* New attribute `reused_here` is added in `ecs_nested.yml`. It obsoletes the + previous attribute `nestings`, and is able to fully capture details of other + field sets reused under this one. #864 +* When chained reuses are needed (e.g. `group` => `user`, then `user` => many places), + it's now necessary to force the order with new attribute `reusable.order`. This + attribute is otherwise optional. It's currently only needed for `group`. #864 +* There's a new representation of ECS at `generated/ecs/ecs.yml`, which is a deeply nested + representation of the fields. This file is not in git, as it's only meant for + developers working on the ECS tools. #864 +* Jinja2 templates now define the doc structure for the AsciiDoc generator. #865 +* Intermediate `ecs_flat.yml` and `ecs_nested.yml` files are now generated for each individual subset, + in addition to the intermediate files generated for the combined subset. #873 + +#### Deprecated + +* In `ecs_nested.yml`, we're deprecating the attribute `nestings`. It will be + removed in a future release. The deprecated `nestings` attribute was an array of + flat field names describing where fields are nested within the field set. + This is replaced with the attribute `reused_here`, which is an array of objects. + The new format still lists where the fields are nested via the same flat field name, + but also specifies additional information about each field reuse. #864 + ## [1.5.0](https://github.com/elastic/ecs/compare/v1.4.0...v1.5.0) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index a3e479ca12..be22c73fed 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -10,101 +10,28 @@ Thanks, you're awesome :-) --> ### Schema Changes -* Added `log.file.path` to capture the log file an event came from. #802 - #### Breaking changes #### Bugfixes -* Field `registry.data.strings` should have been marked as an array field. #790 - #### Added -* Add architecture and imphash for PE field set. (#763) -* Added `agent.build.*` for extended agent version information. (#764) -* Added `x509.*` field set. (#762) -* Added more account and project cloud metadata. (#816) -* Added missing field reuse of `pe` at `process.parent.pe` #868 -* Added `span.id` to the tracing fieldset, for additional log correlation (#882) -* Added `event.reason` for the reason why an event's outcome or action was taken. #907 -* Added `related.hosts` to capture all hostnames and host identifiers on an event. #913 * Added Mime Type fields to HTTP request and response. #944 #### Improvements -* Removed misleading pluralization in the description of `user.id`, it should - contain one ID, not many. #801 -* Clarified misleading wording about multiple IPs in src/dst or cli/srv. #804 -* Improved verbiage about the MITRE ATT&CK® framework. #866 -* Removed the default `object_type=keyword` that was being applied to `object` fields. - This attribute is Beats-specific. It's still supported, but needs to be set explicitly - on a case by case basis now. This default being removed affects `dns.answers`, - `log.syslog`, `network.inner`, `observer.egress`, and `observer.ingress`. #871 -* Improved attribute `dashed_name` in `generated/ecs/*.yml` to also - replace `@` with `-`. #871 -* Updated several URLs in the documentation with "example.com" domain. #910 - #### Deprecated -* Deprecate guidance to lowercase `http.request.method` #840 -* In `ecs_nested.yml`, we're deprecating the attribute `nestings`. It will be - removed in a future release. The deprecated `nestings` attribute was an array of - flat field names describing where fields are nested within the field set. - This is replaced with the attribute `reused_here`, which is an array of objects. - The new format still lists where the fields are nested via the same flat field name, - but also specifies additional information about each field reuse. - - ### Tooling and Artifact Changes #### Breaking changes -* Removed field definitions at the root of documents for fieldsets that - had `reusable.top_level:false`. This PR affects `ecs_flat.yml`, the csv file - and the sample Elasticsearch templates. #495, #813 -* Removed the `order` attribute from the `ecs_nested.yml` and `ecs_flat.yml` files. #811 -* In `ecs_nested.yml`, the array of strings that used to be in `reusable.expected` - has been replaced by an array of objects with 3 keys: 'as', 'at' and 'full'. #864 -* The subset format now requires `name` and `fields` keys at the top level. #873 - #### Bugfixes -* Subsets are created after duplicating reusable fields now so subsets can - be applied to each reused instance independently. #753 -* Quoted the example for `labels` to avoid YAML interpreting it, and having - slightly different results in different situations. #782 -* Fix incorrect listing of where field sets are nested in asciidoc, - when they are nested deep. #784 -* Allow beats output to be generated when using `--include` or `--subset` flags. #814 -* Field parameter `index` is now correctly populated in the Beats field definition file. #824 - #### Added #### Improvements -* Add support for reusing official fieldsets in custom schemas. #751 -* Add full path names to reused fieldsets in `nestings` array in `ecs_nested.yml`. #803 -* Allow shorthand notation for including all subfields in subsets. #805 -* Add support for Elasticsearch `enabled` field parameter. #824 -* Add `ref` option to generator allowing schemas to be built for a specific ECS version. #851 -* Add `template-settings` and `mapping-settings` options to allow override of defaults in generated ES templates. #856 -* When overriding ECS field sets via the `--include` flag, it's no longer necessary - to duplicate the field set's mandatory attributes. The customizations are merged - before validation. #864 -* Add ability to nest field sets as another name. #864 -* Add ability to nest field sets within themselves (e.g. `process` => `process.parent`). #864 -* New attribute `reused_here` is added in `ecs_nested.yml`. It obsoletes the - previous attribute `nestings`, and is able to fully capture details of other - field sets reused under this one. #864 -* When chained reuses are needed (e.g. `group` => `user`, then `user` => many places), - it's now necessary to force the order with new attribute `reusable.order`. This - attribute is otherwise optional. It's currently only needed for `group`. #864 -* There's a new representation of ECS at `generated/ecs/ecs.yml`, which is a deeply nested - representation of the fields. This file is not in git, as it's only meant for - developers working on the ECS tools. #864 -* Jinja2 templates now define the doc structure for the AsciiDoc generator. #865 -* Intermediate `ecs_flat.yml` and `ecs_nested.yml` files are now generated for each individual subset, - in addition to the intermediate files generated for the combined subset. #873 * Field details Jinja2 template components have been consolidated into one template #897 #### Deprecated From 357ce2431baf9acbafaf670c98312b0b33bad8fd Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Mon, 31 Aug 2020 17:12:58 -0500 Subject: [PATCH 07/90] [1.x] Add threat.technique.subtechnique (#951) (#956) Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> --- CHANGELOG.next.md | 2 + code/go/ecs/threat.go | 39 +++++++---- docs/field-details.asciidoc | 78 ++++++++++++++++++---- generated/beats/fields.ecs.yml | 53 +++++++++++---- generated/csv/fields.csv | 18 +++-- generated/ecs/ecs_flat.yml | 69 +++++++++++++++---- generated/ecs/ecs_nested.yml | 69 +++++++++++++++---- generated/elasticsearch/6/template.json | 22 ++++++ generated/elasticsearch/7/template.json | 22 ++++++ schemas/threat.yml | 89 ++++++++++++++++++------- 10 files changed, 367 insertions(+), 94 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index be22c73fed..cadc21ef98 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -10,6 +10,8 @@ Thanks, you're awesome :-) --> ### Schema Changes +* Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtecqhniques. #951 + #### Breaking changes #### Bugfixes diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go index a77aa888e1..0df5e08049 100644 --- a/code/go/ecs/threat.go +++ b/code/go/ecs/threat.go @@ -34,30 +34,45 @@ type Threat struct { // retrospectively tagged to events. Framework string `ecs:"framework"` + // The id of tactic used by this threat. You can use a MITRE ATT&CK® + // tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + TacticID string `ecs:"tactic.id"` + // Name of the type of tactic used by this threat. You can use a MITRE // ATT&CK® tactic, for example. (ex. - // https://attack.mitre.org/tactics/TA0040/) + // https://attack.mitre.org/tactics/TA0002/) TacticName string `ecs:"tactic.name"` - // The id of tactic used by this threat. You can use a MITRE ATT&CK® - // tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) - TacticID string `ecs:"tactic.id"` - // The reference url of tactic used by this threat. You can use a MITRE // ATT&CK® tactic, for example. (ex. - // https://attack.mitre.org/tactics/TA0040/ ) + // https://attack.mitre.org/tactics/TA0002/ ) TacticReference string `ecs:"tactic.reference"` - // The name of technique used by this threat. You can use a MITRE ATT&CK® - // technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) - TechniqueName string `ecs:"technique.name"` - // The id of technique used by this threat. You can use a MITRE ATT&CK® - // technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) + // technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) TechniqueID string `ecs:"technique.id"` + // The name of technique used by this threat. You can use a MITRE ATT&CK® + // technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + TechniqueName string `ecs:"technique.name"` + // The reference url of technique used by this threat. You can use a MITRE // ATT&CK® technique, for example. (ex. - // https://attack.mitre.org/techniques/T1499/ ) + // https://attack.mitre.org/techniques/T1059/) TechniqueReference string `ecs:"technique.reference"` + + // The full id of subtechnique used by this threat. You can use a MITRE + // ATT&CK® subtechnique, for example. (ex. + // https://attack.mitre.org/techniques/T1059/001/) + TechniqueSubtechniqueID string `ecs:"technique.subtechnique.id"` + + // The name of subtechnique used by this threat. You can use a MITRE + // ATT&CK® subtechnique, for example. (ex. + // https://attack.mitre.org/techniques/T1059/001/) + TechniqueSubtechniqueName string `ecs:"technique.subtechnique.name"` + + // The reference url of subtechnique used by this threat. You can use a + // MITRE ATT&CK® subtechnique, for example. (ex. + // https://attack.mitre.org/techniques/T1059/001/) + TechniqueSubtechniqueReference string `ecs:"technique.subtechnique.reference"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 3e38c16c45..b39f2c2949 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -5418,7 +5418,7 @@ example: `MITRE ATT&CK` // =============================================================== | threat.tactic.id -| The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +| The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword @@ -5427,14 +5427,14 @@ Note: this field should contain an array of values. -example: `TA0040` +example: `TA0002` | extended // =============================================================== | threat.tactic.name -| Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) +| Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) type: keyword @@ -5443,14 +5443,14 @@ Note: this field should contain an array of values. -example: `impact` +example: `Execution` | extended // =============================================================== | threat.tactic.reference -| The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +| The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword @@ -5459,14 +5459,14 @@ Note: this field should contain an array of values. -example: `https://attack.mitre.org/tactics/TA0040/` +example: `https://attack.mitre.org/tactics/TA0002/` | extended // =============================================================== | threat.technique.id -| The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) +| The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -5475,14 +5475,14 @@ Note: this field should contain an array of values. -example: `T1499` +example: `T1059` | extended // =============================================================== | threat.technique.name -| The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) +| The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -5497,14 +5497,14 @@ Note: this field should contain an array of values. -example: `Endpoint Denial of Service` +example: `Command and Scripting Interpreter` | extended // =============================================================== | threat.technique.reference -| The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +| The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -5513,7 +5513,61 @@ Note: this field should contain an array of values. -example: `https://attack.mitre.org/techniques/T1499/` +example: `https://attack.mitre.org/techniques/T1059/` + +| extended + +// =============================================================== + +| threat.technique.subtechnique.id +| The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `T1059.001` + +| extended + +// =============================================================== + +| threat.technique.subtechnique.name +| The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) + +type: keyword + +Multi-fields: + +* threat.technique.subtechnique.name.text (type: text) + + + + +Note: this field should contain an array of values. + + + +example: `PowerShell` + +| extended + +// =============================================================== + +| threat.technique.subtechnique.reference +| The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `https://attack.mitre.org/techniques/T1059/001/` | extended diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 28c195fff2..782d1fdd50 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -4538,30 +4538,30 @@ type: keyword ignore_above: 1024 description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ - \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )" - example: TA0040 + \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" + example: TA0002 - name: tactic.name level: extended type: keyword ignore_above: 1024 description: "Name of the type of tactic used by this threat. You can use a\ - \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)" - example: impact + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" + example: Execution - name: tactic.reference level: extended type: keyword ignore_above: 1024 description: "The reference url of tactic used by this threat. You can use a\ - \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ \ )" - example: https://attack.mitre.org/tactics/TA0040/ + example: https://attack.mitre.org/tactics/TA0002/ - name: technique.id level: extended type: keyword ignore_above: 1024 description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ - \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" - example: T1499 + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: T1059 - name: technique.name level: extended type: keyword @@ -4572,16 +4572,43 @@ norms: false default_field: false description: "The name of technique used by this threat. You can use a MITRE\ - \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" - example: Endpoint Denial of Service + \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: Command and Scripting Interpreter - name: technique.reference level: extended type: keyword ignore_above: 1024 description: "The reference url of technique used by this threat. You can use\ - \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\ - \ )" - example: https://attack.mitre.org/techniques/T1499/ + \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: https://attack.mitre.org/techniques/T1059/ + - name: technique.subtechnique.id + level: extended + type: keyword + ignore_above: 1024 + description: "The full id of subtechnique used by this threat. You can use a\ + \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: T1059.001 + default_field: false + - name: technique.subtechnique.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: "The name of subtechnique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: PowerShell + default_field: false + - name: technique.subtechnique.reference + level: extended + type: keyword + ignore_above: 1024 + description: "The reference url of subtechnique used by this threat. You can\ + \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: https://attack.mitre.org/techniques/T1059/001/ + default_field: false - name: tls title: TLS group: 2 diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 9487929101..593be1ee68 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -534,13 +534,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. 1.7.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0040,Threat tactic id. -1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,impact,Threat tactic. -1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0040/,Threat tactic URL reference. -1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1499,Threat technique id. -1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Endpoint Denial of Service,Threat technique name. -1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Endpoint Denial of Service,Threat technique name. -1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1499/,Threat technique URL reference. +1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. +1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +1.7.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +1.7.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +1.7.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. +1.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. 1.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. 1.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. 1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index f8110a362b..08a1c79cb4 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -6850,8 +6850,8 @@ threat.framework: threat.tactic.id: dashed_name: threat-tactic-id description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ - \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )" - example: TA0040 + \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" + example: TA0002 flat_name: threat.tactic.id ignore_above: 1024 level: extended @@ -6863,8 +6863,8 @@ threat.tactic.id: threat.tactic.name: dashed_name: threat-tactic-name description: "Name of the type of tactic used by this threat. You can use a MITRE\ - \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)" - example: impact + \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" + example: Execution flat_name: threat.tactic.name ignore_above: 1024 level: extended @@ -6876,9 +6876,9 @@ threat.tactic.name: threat.tactic.reference: dashed_name: threat-tactic-reference description: "The reference url of tactic used by this threat. You can use a MITRE\ - \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\ + \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ \ )" - example: https://attack.mitre.org/tactics/TA0040/ + example: https://attack.mitre.org/tactics/TA0002/ flat_name: threat.tactic.reference ignore_above: 1024 level: extended @@ -6890,8 +6890,8 @@ threat.tactic.reference: threat.technique.id: dashed_name: threat-technique-id description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ - \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" - example: T1499 + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: T1059 flat_name: threat.technique.id ignore_above: 1024 level: extended @@ -6903,8 +6903,8 @@ threat.technique.id: threat.technique.name: dashed_name: threat-technique-name description: "The name of technique used by this threat. You can use a MITRE ATT&CK\xAE\ - \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" - example: Endpoint Denial of Service + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: Command and Scripting Interpreter flat_name: threat.technique.name ignore_above: 1024 level: extended @@ -6921,9 +6921,8 @@ threat.technique.name: threat.technique.reference: dashed_name: threat-technique-reference description: "The reference url of technique used by this threat. You can use a\ - \ MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\ - \ )" - example: https://attack.mitre.org/techniques/T1499/ + \ MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: https://attack.mitre.org/techniques/T1059/ flat_name: threat.technique.reference ignore_above: 1024 level: extended @@ -6932,6 +6931,50 @@ threat.technique.reference: - array short: Threat technique URL reference. type: keyword +threat.technique.subtechnique.id: + dashed_name: threat-technique-subtechnique-id + description: "The full id of subtechnique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: T1059.001 + flat_name: threat.technique.subtechnique.id + ignore_above: 1024 + level: extended + name: technique.subtechnique.id + normalize: + - array + short: Threat subtechnique id. + type: keyword +threat.technique.subtechnique.name: + dashed_name: threat-technique-subtechnique-name + description: "The name of subtechnique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: PowerShell + flat_name: threat.technique.subtechnique.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.technique.subtechnique.name.text + name: text + norms: false + type: text + name: technique.subtechnique.name + normalize: + - array + short: Threat subtechnique name. + type: keyword +threat.technique.subtechnique.reference: + dashed_name: threat-technique-subtechnique-reference + description: "The reference url of subtechnique used by this threat. You can use\ + \ a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: https://attack.mitre.org/techniques/T1059/001/ + flat_name: threat.technique.subtechnique.reference + ignore_above: 1024 + level: extended + name: technique.subtechnique.reference + normalize: + - array + short: Threat subtechnique URL reference. + type: keyword tls.cipher: dashed_name: tls-cipher description: String indicating the cipher used during the current connection. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 13b273fcfb..926f834242 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -8022,8 +8022,8 @@ threat: threat.tactic.id: dashed_name: threat-tactic-id description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ - \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )" - example: TA0040 + \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" + example: TA0002 flat_name: threat.tactic.id ignore_above: 1024 level: extended @@ -8035,8 +8035,8 @@ threat: threat.tactic.name: dashed_name: threat-tactic-name description: "Name of the type of tactic used by this threat. You can use a\ - \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)" - example: impact + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" + example: Execution flat_name: threat.tactic.name ignore_above: 1024 level: extended @@ -8048,9 +8048,9 @@ threat: threat.tactic.reference: dashed_name: threat-tactic-reference description: "The reference url of tactic used by this threat. You can use a\ - \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ \ )" - example: https://attack.mitre.org/tactics/TA0040/ + example: https://attack.mitre.org/tactics/TA0002/ flat_name: threat.tactic.reference ignore_above: 1024 level: extended @@ -8062,8 +8062,8 @@ threat: threat.technique.id: dashed_name: threat-technique-id description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ - \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" - example: T1499 + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: T1059 flat_name: threat.technique.id ignore_above: 1024 level: extended @@ -8075,8 +8075,8 @@ threat: threat.technique.name: dashed_name: threat-technique-name description: "The name of technique used by this threat. You can use a MITRE\ - \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" - example: Endpoint Denial of Service + \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: Command and Scripting Interpreter flat_name: threat.technique.name ignore_above: 1024 level: extended @@ -8093,9 +8093,8 @@ threat: threat.technique.reference: dashed_name: threat-technique-reference description: "The reference url of technique used by this threat. You can use\ - \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\ - \ )" - example: https://attack.mitre.org/techniques/T1499/ + \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: https://attack.mitre.org/techniques/T1059/ flat_name: threat.technique.reference ignore_above: 1024 level: extended @@ -8104,6 +8103,50 @@ threat: - array short: Threat technique URL reference. type: keyword + threat.technique.subtechnique.id: + dashed_name: threat-technique-subtechnique-id + description: "The full id of subtechnique used by this threat. You can use a\ + \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: T1059.001 + flat_name: threat.technique.subtechnique.id + ignore_above: 1024 + level: extended + name: technique.subtechnique.id + normalize: + - array + short: Threat subtechnique id. + type: keyword + threat.technique.subtechnique.name: + dashed_name: threat-technique-subtechnique-name + description: "The name of subtechnique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: PowerShell + flat_name: threat.technique.subtechnique.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.technique.subtechnique.name.text + name: text + norms: false + type: text + name: technique.subtechnique.name + normalize: + - array + short: Threat subtechnique name. + type: keyword + threat.technique.subtechnique.reference: + dashed_name: threat-technique-subtechnique-reference + description: "The reference url of subtechnique used by this threat. You can\ + \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: https://attack.mitre.org/techniques/T1059/001/ + flat_name: threat.technique.subtechnique.reference + ignore_above: 1024 + level: extended + name: technique.subtechnique.reference + normalize: + - array + short: Threat subtechnique URL reference. + type: keyword group: 2 name: threat prefix: threat. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 6f98745d9b..b16d3576ce 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -2571,6 +2571,28 @@ "reference": { "ignore_above": 1024, "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } } } } diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 177889f92d..08071d1b91 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -2570,6 +2570,28 @@ "reference": { "ignore_above": 1024, "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } } } } diff --git a/schemas/threat.yml b/schemas/threat.yml index d24fa0fc75..62477b28a1 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -24,39 +24,53 @@ example: MITRE ATT&CK - - name: tactic.name + - name: tactic.id level: extended type: keyword - short: Threat tactic. + short: Threat tactic id. description: > - Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. - (ex. https://attack.mitre.org/tactics/TA0040/) + The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. + (ex. https://attack.mitre.org/tactics/TA0002/ ) - example: impact + example: TA0002 normalize: - array - - name: tactic.id + - name: tactic.name level: extended type: keyword - short: Threat tactic id. + short: Threat tactic. description: > - The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. - (ex. https://attack.mitre.org/tactics/TA0040/ ) + Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. + (ex. https://attack.mitre.org/tactics/TA0002/) - example: TA0040 + example: Execution normalize: - array + - name: tactic.reference level: extended type: keyword short: Threat tactic URL reference. description: > The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. - (ex. https://attack.mitre.org/tactics/TA0040/ ) + (ex. https://attack.mitre.org/tactics/TA0002/ ) - example: https://attack.mitre.org/tactics/TA0040/ + example: https://attack.mitre.org/tactics/TA0002/ + normalize: + - array + + + - name: technique.id + level: extended + type: keyword + short: Threat technique id. + description: > + The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. + (ex. https://attack.mitre.org/techniques/T1059/) + + example: T1059 normalize: - array @@ -69,32 +83,59 @@ short: Threat technique name. description: > The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. - (ex. https://attack.mitre.org/techniques/T1499/) + (ex. https://attack.mitre.org/techniques/T1059/) - example: Endpoint Denial of Service + example: Command and Scripting Interpreter normalize: - array - - name: technique.id + - name: technique.reference level: extended type: keyword - short: Threat technique id. + short: Threat technique URL reference. description: > - The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. - (ex. https://attack.mitre.org/techniques/T1499/) + The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. + (ex. https://attack.mitre.org/techniques/T1059/) - example: T1499 + example: https://attack.mitre.org/techniques/T1059/ normalize: - array - - name: technique.reference + - name: technique.subtechnique.id level: extended type: keyword - short: Threat technique URL reference. + short: Threat subtechnique id. description: > - The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. - (ex. https://attack.mitre.org/techniques/T1499/ ) + The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. + (ex. https://attack.mitre.org/techniques/T1059/001/) + + example: T1059.001 + normalize: + - array + + - name: technique.subtechnique.name + level: extended + type: keyword + multi_fields: + - type: text + name: text + short: Threat subtechnique name. + description: > + The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. + (ex. https://attack.mitre.org/techniques/T1059/001/) + + example: PowerShell + normalize: + - array + + - name: technique.subtechnique.reference + level: extended + type: keyword + short: Threat subtechnique URL reference. + description: > + The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. + (ex. https://attack.mitre.org/techniques/T1059/001/) - example: https://attack.mitre.org/techniques/T1499/ + example: https://attack.mitre.org/techniques/T1059/001/ normalize: - array From 9c4fc4ceb0e339d8f26a1b582bdab3aaba664427 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Fri, 4 Sep 2020 09:38:08 -0500 Subject: [PATCH 08/90] [1.x] Nest as for foreign reuse (#960) (#962) --- CHANGELOG.next.md | 2 ++ scripts/schema/finalizer.py | 4 ++- scripts/tests/unit/test_schema_finalizer.py | 36 ++++++++++++++++++++- 3 files changed, 40 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index cadc21ef98..9f227041e0 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -30,6 +30,8 @@ Thanks, you're awesome :-) --> #### Bugfixes +* Addressed issue where foreign reuses weren't using the user-supplied `as` value for their destination. #960 + #### Added #### Improvements diff --git a/scripts/schema/finalizer.py b/scripts/schema/finalizer.py index 45abb6a3a9..3d1c7202b2 100644 --- a/scripts/schema/finalizer.py +++ b/scripts/schema/finalizer.py @@ -57,17 +57,19 @@ def perform_reuse(fields): schema = fields[schema_name] for reuse_entry in reuse_entries: # print(order, "{} => {}".format(schema_name, reuse_entry['full'])) + nest_as = reuse_entry['as'] destination_schema_name = reuse_entry['full'].split('.')[0] destination_schema = fields[destination_schema_name] ensure_valid_reuse(schema, destination_schema) new_field_details = copy.deepcopy(schema['field_details']) + new_field_details['name'] = nest_as new_field_details['original_fieldset'] = schema_name new_field_details['intermediate'] = True reused_fields = copy.deepcopy(schema['fields']) set_original_fieldset(reused_fields, schema_name) destination_fields = field_group_at_path(reuse_entry['at'], fields) - destination_fields[schema_name] = { + destination_fields[nest_as] = { 'field_details': new_field_details, 'fields': reused_fields, } diff --git a/scripts/tests/unit/test_schema_finalizer.py b/scripts/tests/unit/test_schema_finalizer.py index 64f3f25458..8a193a0454 100644 --- a/scripts/tests/unit/test_schema_finalizer.py +++ b/scripts/tests/unit/test_schema_finalizer.py @@ -47,6 +47,8 @@ def schema_process(self): 'order': 2, 'expected': [ {'full': 'process.parent', 'at': 'process', 'as': 'parent'}, + {'full': 'reuse.process', 'at': 'reuse', 'as': 'process'}, + {'full': 'reuse.process.parent', 'at': 'reuse.process', 'as': 'parent'}, ] } }, @@ -143,30 +145,57 @@ def schema_server(self): } } + def schema_process_reuse(self): + return { + 'reuse': { + 'schema_details': { + 'title': 'Reuse', + 'root': False + }, + 'field_details': { + 'name': 'Reuse', + 'node_name': 'Reuse', + 'short': 'reuse example', + }, + 'fields': { + 'pid': { + 'field_details': { + 'name': 'pid', + 'node_name': 'pid', + } + } + } + } + } + # perform_reuse def test_perform_reuse_with_foreign_reuse_and_self_reuse(self): - fields = {**self.schema_user(), **self.schema_server(), **self.schema_process()} + fields = {**self.schema_user(), **self.schema_server(), **self.schema_process(), **self.schema_process_reuse()} # If the test had multiple foreign destinations for user fields, we could compare them together instead finalizer.perform_reuse(fields) process_fields = fields['process']['fields'] server_fields = fields['server']['fields'] user_fields = fields['user']['fields'] + process_reuse_fields = fields['reuse']['fields']['process']['fields'] # Expected reuse self.assertIn('parent', process_fields) self.assertIn('user', server_fields) self.assertIn('target', user_fields) self.assertIn('effective', user_fields) + self.assertIn('parent', process_reuse_fields) # Sanity check for presence of leaf fields, after performing reuse self.assertIn('name', user_fields['target']['fields']) self.assertIn('name', user_fields['effective']['fields']) self.assertIn('name', server_fields['user']['fields']) self.assertIn('pid', process_fields['parent']['fields']) + self.assertIn('pid', process_reuse_fields['parent']['fields']) # Ensure the parent field of reused fields is marked as intermediate self.assertTrue(server_fields['user']['field_details']['intermediate']) self.assertTrue(process_fields['parent']['field_details']['intermediate']) self.assertTrue(user_fields['target']['field_details']['intermediate']) self.assertTrue(user_fields['effective']['field_details']['intermediate']) + self.assertTrue(process_reuse_fields['parent']['field_details']['intermediate']) # No unexpected cross-nesting self.assertNotIn('target', user_fields['target']['fields']) self.assertNotIn('target', user_fields['effective']['fields']) @@ -176,6 +205,7 @@ def test_perform_reuse_with_foreign_reuse_and_self_reuse(self): self.assertIn('user.effective', fields['user']['schema_details']['nestings']) self.assertIn('user.target', fields['user']['schema_details']['nestings']) self.assertIn('server.user', fields['server']['schema_details']['nestings']) + self.assertIn('reuse.process.parent', fields['reuse']['schema_details']['nestings']) # Attribute 'reused_here' lists nestings inside a destination schema self.assertIn({'full': 'process.parent', 'schema_name': 'process', 'short': 'short desc'}, fields['process']['schema_details']['reused_here']) @@ -185,6 +215,8 @@ def test_perform_reuse_with_foreign_reuse_and_self_reuse(self): fields['user']['schema_details']['reused_here']) self.assertIn({'full': 'server.user', 'schema_name': 'user', 'short': 'short desc'}, fields['server']['schema_details']['reused_here']) + self.assertIn({'full': 'reuse.process.parent', 'schema_name': 'process', 'short': 'short desc'}, + fields['reuse']['schema_details']['reused_here']) # Reused fields have an indication they're reused self.assertEqual(process_fields['parent']['field_details']['original_fieldset'], 'process', "The parent field of reused fields should have 'original_fieldset' populated") @@ -193,6 +225,8 @@ def test_perform_reuse_with_foreign_reuse_and_self_reuse(self): self.assertEqual(server_fields['user']['field_details']['original_fieldset'], 'user', "The parent field of foreign reused fields should have 'original_fieldset' populated") self.assertEqual(server_fields['user']['fields']['name']['field_details']['original_fieldset'], 'user') + self.assertEqual(process_reuse_fields['parent']['field_details']['original_fieldset'], 'process', + "The parent field of reused fields should have 'original_fieldset' populated") # Original fieldset's fields must not be marked with 'original_fieldset=' self.assertNotIn('original_fieldset', user_fields['name']['field_details']) self.assertNotIn('original_fieldset', process_fields['pid']['field_details']) From 3eb6d9962c9a551467389e5cd2e110e5592d2a3a Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 8 Sep 2020 14:55:48 -0500 Subject: [PATCH 09/90] [1.x] Remove `expected_event_types` from protocol (#964) (#965) --- CHANGELOG.next.md | 2 ++ docs/field-values.asciidoc | 4 ---- generated/ecs/ecs_flat.yml | 6 ------ generated/ecs/ecs_nested.yml | 6 ------ schemas/event.yml | 6 ------ 5 files changed, 2 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 9f227041e0..f7780503be 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -16,6 +16,8 @@ Thanks, you're awesome :-) --> #### Bugfixes +* The `protocol` allowed value under `event.type` should not have the `expected_event_types` defined. #964 + #### Added * Added Mime Type fields to HTTP request and response. #944 diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index 03a74e16cd..4e4bb8a61e 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -439,10 +439,6 @@ The installation event type is used for the subset of events within a category t The protocol event type is used for the subset of events within a category that indicate that they contain protocol details or analysis, beyond simply identifying the protocol. Generally, network events that contain specific protocol details will fall into this subcategory. A common example is `event.category:network AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate that the event is a network connection event sent at the end of a connection that also includes a protocol detail breakdown). Note that events that only indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. -*Expected event types for category protocol:* - -access, change, end, info, start - [float] [[ecs-event-type-start]] diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 08a1c79cb4..c27228d794 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2298,12 +2298,6 @@ event.type: indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start name: protocol - description: The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 926f834242..8ed5b86a80 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2701,12 +2701,6 @@ event: should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start name: protocol - description: The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process diff --git a/schemas/event.yml b/schemas/event.yml index 4d18ae2c86..74e99b99fe 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -469,12 +469,6 @@ Note that events that only indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start - name: start description: > The start event type is used for the subset of events within a category From d5820b9981449c269571d12bc8c75d4f51bf0721 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 23 Sep 2020 11:38:13 -0500 Subject: [PATCH 10/90] [1.x] Expand definitions of source and destination field sets (#967) (#973) --- CHANGELOG.next.md | 2 ++ code/go/ecs/destination.go | 9 ++++++++- code/go/ecs/source.go | 9 ++++++++- docs/field-details.asciidoc | 8 ++++---- generated/beats/fields.ecs.yml | 24 ++++++++++++++++++------ generated/ecs/ecs_nested.yml | 24 ++++++++++++++++++------ schemas/destination.yml | 8 ++++++-- schemas/source.yml | 8 ++++++-- 8 files changed, 70 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index f7780503be..4f624151f1 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -24,6 +24,8 @@ Thanks, you're awesome :-) --> #### Improvements +* Expanded field set definitions for `source.*` and `destination.*`. #967 + #### Deprecated ### Tooling and Artifact Changes diff --git a/code/go/ecs/destination.go b/code/go/ecs/destination.go index b283ec3b2f..e3417e5bb9 100644 --- a/code/go/ecs/destination.go +++ b/code/go/ecs/destination.go @@ -19,8 +19,15 @@ package ecs -// Destination fields describe details about the destination of a packet/event. +// Destination fields capture details about the receiver of a network +// exchange/packet. These fields are populated from a network event, packet, or +// other event containing details of a network transaction. // Destination fields are usually populated in conjunction with source fields. +// The source and destination fields are considered the baseline and should +// always be filled if an event contains source and destination details from a +// network transaction. If the event also contains identification of the client +// and server roles, then the client and server fields should also be +// populated. type Destination struct { // Some event destination addresses are defined ambiguously. The event will // sometimes list an IP, a domain or a unix socket. You should always diff --git a/code/go/ecs/source.go b/code/go/ecs/source.go index 8fe352bc72..f8ab84d581 100644 --- a/code/go/ecs/source.go +++ b/code/go/ecs/source.go @@ -19,8 +19,15 @@ package ecs -// Source fields describe details about the source of a packet/event. +// Source fields capture details about the sender of a network exchange/packet. +// These fields are populated from a network event, packet, or other event +// containing details of a network transaction. // Source fields are usually populated in conjunction with destination fields. +// The source and destination fields are considered the baseline and should +// always be filled if an event contains source and destination details from a +// network transaction. If the event also contains identification of the client +// and server roles, then the client and server fields should also be +// populated. type Source struct { // Some event source addresses are defined ambiguously. The event will // sometimes list an IP, a domain or a unix socket. You should always diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index b39f2c2949..da97a3c5f8 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -803,9 +803,9 @@ example: `docker` [[ecs-destination]] === Destination Fields -Destination fields describe details about the destination of a packet/event. +Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. -Destination fields are usually populated in conjunction with source fields. +Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. ==== Destination Field Details @@ -5185,9 +5185,9 @@ example: `3.2.4` [[ecs-source]] === Source Fields -Source fields describe details about the source of a packet/event. +Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. -Source fields are usually populated in conjunction with destination fields. +Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. ==== Source Field Details diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 782d1fdd50..c632daaead 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -562,9 +562,15 @@ - name: destination title: Destination group: 2 - description: 'Destination fields describe details about the destination of a packet/event. - - Destination fields are usually populated in conjunction with source fields.' + description: 'Destination fields capture details about the receiver of a network + exchange/packet. These fields are populated from a network event, packet, or + other event containing details of a network transaction. + + Destination fields are usually populated in conjunction with source fields. + The source and destination fields are considered the baseline and should always + be filled if an event contains source and destination details from a network + transaction. If the event also contains identification of the client and server + roles, then the client and server fields should also be populated.' type: group fields: - name: address @@ -4286,9 +4292,15 @@ - name: source title: Source group: 2 - description: 'Source fields describe details about the source of a packet/event. - - Source fields are usually populated in conjunction with destination fields.' + description: 'Source fields capture details about the sender of a network exchange/packet. + These fields are populated from a network event, packet, or other event containing + details of a network transaction. + + Source fields are usually populated in conjunction with destination fields. + The source and destination fields are considered the baseline and should always + be filled if an event contains source and destination details from a network + transaction. If the event also contains identification of the client and server + roles, then the client and server fields should also be populated.' type: group fields: - name: address diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 8ed5b86a80..490b00eb74 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -957,9 +957,15 @@ container: title: Container type: group destination: - description: 'Destination fields describe details about the destination of a packet/event. - - Destination fields are usually populated in conjunction with source fields.' + description: 'Destination fields capture details about the receiver of a network + exchange/packet. These fields are populated from a network event, packet, or other + event containing details of a network transaction. + + Destination fields are usually populated in conjunction with source fields. The + source and destination fields are considered the baseline and should always be + filled if an event contains source and destination details from a network transaction. + If the event also contains identification of the client and server roles, then + the client and server fields should also be populated.' fields: destination.address: dashed_name: destination-address @@ -7570,9 +7576,15 @@ service: title: Service type: group source: - description: 'Source fields describe details about the source of a packet/event. - - Source fields are usually populated in conjunction with destination fields.' + description: 'Source fields capture details about the sender of a network exchange/packet. + These fields are populated from a network event, packet, or other event containing + details of a network transaction. + + Source fields are usually populated in conjunction with destination fields. The + source and destination fields are considered the baseline and should always be + filled if an event contains source and destination details from a network transaction. + If the event also contains identification of the client and server roles, then + the client and server fields should also be populated.' fields: source.address: dashed_name: source-address diff --git a/schemas/destination.yml b/schemas/destination.yml index 2400f3745e..42d3e154d5 100644 --- a/schemas/destination.yml +++ b/schemas/destination.yml @@ -4,9 +4,13 @@ group: 2 short: Fields about the destination side of a network connection, used with source. description: > - Destination fields describe details about the destination of a packet/event. + Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from + a network event, packet, or other event containing details of a network transaction. - Destination fields are usually populated in conjunction with source fields. + Destination fields are usually populated in conjunction with source fields. The source and destination + fields are considered the baseline and should always be filled if an event contains source + and destination details from a network transaction. If the event also contains identification of the + client and server roles, then the client and server fields should also be populated. type: group fields: diff --git a/schemas/source.yml b/schemas/source.yml index 05379a48c3..65539b3d60 100644 --- a/schemas/source.yml +++ b/schemas/source.yml @@ -4,9 +4,13 @@ group: 2 short: Fields about the source side of a network connection, used with destination. description: > - Source fields describe details about the source of a packet/event. + Source fields capture details about the sender of a network exchange/packet. These fields are populated from + a network event, packet, or other event containing details of a network transaction. - Source fields are usually populated in conjunction with destination fields. + Source fields are usually populated in conjunction with destination fields. The source and destination + fields are considered the baseline and should always be filled if an event contains source + and destination details from a network transaction. If the event also contains identification of the + client and server roles, then the client and server fields should also be populated. type: group fields: From e6ba4c43fe40f7e4cd5dfd09568cacc12281e3ca Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 23 Sep 2020 14:18:43 -0500 Subject: [PATCH 11/90] [1.x] Introduce `--strict` flag (#937) (#975) --- CHANGELOG.next.md | 5 ++- Makefile | 2 +- USAGE.md | 45 +++++++++++++++++++++++ scripts/generator.py | 4 +- scripts/generators/ecs_helpers.py | 15 ++++++++ scripts/schema/cleaner.py | 18 ++++++--- scripts/tests/unit/test_schema_cleaner.py | 20 ++++++++++ 7 files changed, 99 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 4f624151f1..1984f60434 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -10,8 +10,6 @@ Thanks, you're awesome :-) --> ### Schema Changes -* Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtecqhniques. #951 - #### Breaking changes #### Bugfixes @@ -21,6 +19,7 @@ Thanks, you're awesome :-) --> #### Added * Added Mime Type fields to HTTP request and response. #944 +* Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951 #### Improvements @@ -38,6 +37,8 @@ Thanks, you're awesome :-) --> #### Added +* Introduced `--strict` flag to perform stricter schema validation when running the generator script. #937 + #### Improvements * Field details Jinja2 template components have been consolidated into one template #897 diff --git a/Makefile b/Makefile index e2826b46bc..37617d391e 100644 --- a/Makefile +++ b/Makefile @@ -61,7 +61,7 @@ generate: legacy_use_cases codegen generator # Run the new generator .PHONY: generator generator: - $(PYTHON) scripts/generator.py --include "${INCLUDE}" + $(PYTHON) scripts/generator.py --strict --include "${INCLUDE}" # Generate Go code from the schema. .PHONY: gocodegen diff --git a/USAGE.md b/USAGE.md index 334879892e..ffa2ca2e06 100644 --- a/USAGE.md +++ b/USAGE.md @@ -29,6 +29,7 @@ relevant artifacts for their unique set of data sources. + [Subset](#subset) + [Ref](#ref) + [Mapping & Template Settings](#mapping--template-settings) + + [Strict Mode](#strict-mode) + [Intermediate-Only](#intermediate-only) ## Terminology @@ -294,6 +295,50 @@ The `--template-settings` argument defines [index level settings](https://www.el For `template.json`, the `mappings` object is left empty: `{}`. Likewise the `properties` object remains empty in the `mapping.json` example. This will be filled in automatically by the script. +#### Strict Mode + +The `--strict` argument enables "strict mode". Strict mode performs a stricter validation step against the schema's contents. + +Basic usage: + +``` +$ python/generator.py --strict +``` + +Strict mode requires the following conditions, else the script exits on an exception: + +* Short descriptions must be less than or equal to 120 characters. + +The current artifacts generated and published in the ECS repo will always be created using strict mode. However, older ECS versions (pre `v1.5.0`) will cause +an exception if attempting to generate them using `--strict`. This is due to schema validation checks introduced after that version was released. + +Example: + +``` +$ python scripts/generator.py --ref v1.4.0 --strict +Loading schemas from git ref v1.4.0 +Running generator. ECS version 1.4.0 +... +ValueError: Short descriptions must be single line, and under 120 characters (current length: 134). +Offending field or field set: number +Short description: + Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +``` + +Removing `--strict` will display a warning message, but the script will finish its run successfully: + +``` +$ python scripts/generator.py --ref v1.4.0 +Loading schemas from git ref v1.4.0 +Running generator. ECS version 1.4.0 +/Users/ericbeahan/dev/ecs/scripts/generators/ecs_helpers.py:176: UserWarning: Short descriptions must be single line, and under 120 characters (current length: 134). +Offending field or field set: number +Short description: + Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +This will cause an exception when running in strict mode. +``` + #### Intermediate-Only The `--intermediate-only` argument is used for debugging purposes. It only generates the ["intermediate files"](generated/ecs), `ecs_flat.yml` and `ecs_nested.yml`, without generating the rest of the artifacts. diff --git a/scripts/generator.py b/scripts/generator.py index b7ae2a4b2f..733f4155fe 100644 --- a/scripts/generator.py +++ b/scripts/generator.py @@ -41,7 +41,7 @@ def main(): # ecs_helpers.yaml_dump('ecs.yml', fields) fields = loader.load_schemas(ref=args.ref, included_files=args.include) - cleaner.clean(fields) + cleaner.clean(fields, strict=args.strict) finalizer.finalize(fields) fields = subset_filter.filter(fields, args.subset, out_dir) nested, flat = intermediate_files.generate(fields, os.path.join(out_dir, 'ecs'), default_dirs) @@ -72,6 +72,8 @@ def argument_parser(): help='index template settings to use when generating elasticsearch template') parser.add_argument('--mapping-settings', action='store', help='mapping settings to use when generating elasticsearch template') + parser.add_argument('--strict', action='store_true', + help='enforce stricter checking at schema cleanup') args = parser.parse_args() # Clean up empty include of the Makefile if args.include and [''] == args.include: diff --git a/scripts/generators/ecs_helpers.py b/scripts/generators/ecs_helpers.py index 911a3c9968..275c0569ac 100644 --- a/scripts/generators/ecs_helpers.py +++ b/scripts/generators/ecs_helpers.py @@ -2,6 +2,7 @@ import os import yaml import git +import warnings from collections import OrderedDict from copy import deepcopy @@ -159,3 +160,17 @@ def list_extract_keys(lst, key_name): def is_intermediate(field): '''Encapsulates the check to see if a field is an intermediate field or a "real" field.''' return ('intermediate' in field['field_details'] and field['field_details']['intermediate']) + + +# Warning helper + + +def strict_warning(msg): + """Call warnings.warn(msg) for operations that would throw an Exception + if operating in `--strict` mode. Allows a custom message to be passed. + + :param msg: custom text which will be displayed with wrapped boilerplate + for strict warning messages. + """ + warn_message = f"{msg}\n\nThis will cause an exception when running in strict mode." + warnings.warn(warn_message) diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py index ec48598bea..5f62b2daac 100644 --- a/scripts/schema/cleaner.py +++ b/scripts/schema/cleaner.py @@ -19,7 +19,9 @@ # deal with final field names either. -def clean(fields): +def clean(fields, strict=False): + global strict_mode + strict_mode = strict visitor.visit_fields(fields, fieldset_func=schema_cleanup, field_func=field_cleanup) @@ -46,7 +48,7 @@ def schema_cleanup(schema): else: schema['schema_details']['prefix'] = schema['field_details']['name'] + '.' normalize_reuse_notation(schema) - # Final validity check + # Final validity check if in strict mode schema_assertions_and_warnings(schema) @@ -73,7 +75,7 @@ def schema_mandatory_attributes(schema): def schema_assertions_and_warnings(schema): '''Additional checks on a fleshed out schema''' - single_line_short_description(schema) + single_line_short_description(schema, strict=strict_mode) def normalize_reuse_notation(schema): @@ -165,7 +167,8 @@ def field_mandatory_attributes(field): def field_assertions_and_warnings(field): '''Additional checks on a fleshed out field''' if not ecs_helpers.is_intermediate(field): - single_line_short_description(field) + # check short description length if in strict mode + single_line_short_description(field, strict=strict_mode) if field['field_details']['level'] not in ACCEPTABLE_FIELD_LEVELS: msg = "Invalid level for field '{}'.\nValue: {}\nAcceptable values: {}".format( field['field_details']['name'], field['field_details']['level'], @@ -178,7 +181,7 @@ def field_assertions_and_warnings(field): SHORT_LIMIT = 120 -def single_line_short_description(schema_or_field): +def single_line_short_description(schema_or_field, strict=True): short_length = len(schema_or_field['field_details']['short']) if "\n" in schema_or_field['field_details']['short'] or short_length > SHORT_LIMIT: msg = "Short descriptions must be single line, and under {} characters (current length: {}).\n".format( @@ -186,4 +189,7 @@ def single_line_short_description(schema_or_field): msg += "Offending field or field set: {}\nShort description:\n {}".format( schema_or_field['field_details']['name'], schema_or_field['field_details']['short']) - raise ValueError(msg) + if strict: + raise ValueError(msg) + else: + ecs_helpers.strict_warning(msg) diff --git a/scripts/tests/unit/test_schema_cleaner.py b/scripts/tests/unit/test_schema_cleaner.py index ed82218706..4c20fac01f 100644 --- a/scripts/tests/unit/test_schema_cleaner.py +++ b/scripts/tests/unit/test_schema_cleaner.py @@ -262,6 +262,26 @@ def test_multiline_short_description_raises(self): with self.assertRaisesRegex(ValueError, 'single line'): cleaner.single_line_short_description(schema) + def test_very_long_short_description_warns_strict_disabled(self): + schema = {'field_details': { + 'name': 'fake_schema', + 'short': "Single line but really long. " * 10}} + try: + with self.assertWarnsRegex(UserWarning, 'under 120 characters \(current length: 290\)'): + cleaner.single_line_short_description(schema, strict=False) + except Exception: + self.fail("cleaner.single_line_short_description() raised Exception unexpectedly.") + + def test_multiline_short_description_warns_strict_disabled(self): + schema = {'field_details': { + 'name': 'fake_schema', + 'short': "multiple\nlines"}} + try: + with self.assertWarnsRegex(UserWarning, 'single line'): + cleaner.single_line_short_description(schema, strict=False) + except Exception: + self.fail("cleaner.single_line_short_description() raised Exception unexpectedly.") + def test_clean(self): '''A high level sanity test''' fields = self.schema_process() From 214a01cfcdb65a68f23e402533c913ce2fdc101d Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 23 Sep 2020 14:39:55 -0500 Subject: [PATCH 12/90] [1.x] Add example value composite type checking (#966) (#976) * Add example value composite type checking (#966) * generate csv artifact --- CHANGELOG.next.md | 1 + USAGE.md | 1 + docs/field-details.asciidoc | 14 +++--- generated/beats/fields.ecs.yml | 37 ++++----------- generated/csv/fields.csv | 16 +++---- generated/ecs/ecs_flat.yml | 37 ++++----------- generated/ecs/ecs_nested.yml | 37 ++++----------- schemas/README.md | 4 +- schemas/dns.yml | 4 +- schemas/process.yml | 2 +- schemas/rule.yml | 2 +- schemas/tls.yml | 6 +-- scripts/schema/cleaner.py | 16 +++++++ scripts/tests/unit/test_schema_cleaner.py | 58 +++++++++++++++++++++++ 14 files changed, 128 insertions(+), 107 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 1984f60434..d366755da5 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -38,6 +38,7 @@ Thanks, you're awesome :-) --> #### Added * Introduced `--strict` flag to perform stricter schema validation when running the generator script. #937 +* Added check under `--strict` that ensures composite types in example fields are quoted. #966 #### Improvements diff --git a/USAGE.md b/USAGE.md index ffa2ca2e06..e70da6b14f 100644 --- a/USAGE.md +++ b/USAGE.md @@ -308,6 +308,7 @@ $ python/generator.py --strict Strict mode requires the following conditions, else the script exits on an exception: * Short descriptions must be less than or equal to 120 characters. +* Example values containing arrays or objects must be quoted to avoid unexpected YAML interpretation when the schema files or artifacts are relied on downstream. The current artifacts generated and published in the ECS repo will always be created using strict mode. However, older ECS versions (pre `v1.5.0`) will cause an exception if attempting to generate them using `--strict`. This is due to schema validation checks introduced after that version was released. diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index da97a3c5f8..2f06d7194d 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1211,7 +1211,7 @@ Note: this field should contain an array of values. -example: `['RD', 'RA']` +example: `["RD", "RA"]` | extended @@ -1343,7 +1343,7 @@ Note: this field should contain an array of values. -example: `['10.10.10.10', '10.10.10.11']` +example: `["10.10.10.10", "10.10.10.11"]` | extended @@ -4205,7 +4205,7 @@ Note: this field should contain an array of values. -example: `['/usr/bin/ssh', '-l', 'user', '10.0.0.16']` +example: `["/usr/bin/ssh", "-l", "user", "10.0.0.16"]` | extended @@ -4718,7 +4718,7 @@ Note: this field should contain an array of values. -example: `['Star-Lord']` +example: `["Star-Lord"]` | extended @@ -5624,7 +5624,7 @@ Note: this field should contain an array of values. -example: `['MII...', 'MII...']` +example: `["MII...", "MII..."]` | extended @@ -5757,7 +5757,7 @@ Note: this field should contain an array of values. -example: `['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']` +example: `["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]` | extended @@ -5838,7 +5838,7 @@ Note: this field should contain an array of values. -example: `['MII...', 'MII...']` +example: `["MII...", "MII..."]` | extended diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index c632daaead..573abe8499 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1013,9 +1013,7 @@ description: 'Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO.' - example: - - RD - - RA + example: '["RD", "RA"]' - name: id level: extended type: keyword @@ -1096,9 +1094,7 @@ formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.' - example: - - 10.10.10.10 - - 10.10.10.11 + example: '["10.10.10.10", "10.10.10.11"]' - name: response_code level: extended type: keyword @@ -3229,11 +3225,7 @@ the executable. May be filtered to protect sensitive information.' - example: - - /usr/bin/ssh - - -l - - user - - 10.0.0.16 + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' - name: args_count level: extended type: long @@ -3376,11 +3368,7 @@ the executable. May be filtered to protect sensitive information.' - example: - - /usr/bin/ssh - - -l - - user - - 10.0.0.16 + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' default_field: false - name: parent.args_count level: extended @@ -3884,8 +3872,7 @@ ignore_above: 1024 description: Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. - example: - - Star-Lord + example: '["Star-Lord"]' default_field: false - name: category level: extended @@ -4652,9 +4639,7 @@ description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - example: - - MII... - - MII... + example: '["MII...", "MII..."]' default_field: false - name: client.hash.md5 level: extended @@ -4735,10 +4720,8 @@ type: keyword ignore_above: 1024 description: Array of ciphers offered by the client during the client hello. - example: - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - '...' + example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "..."]' default_field: false - name: client.x509.alternative_names level: extended @@ -4955,9 +4938,7 @@ description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - example: - - MII... - - MII... + example: '["MII...", "MII..."]' default_field: false - name: server.hash.md5 level: extended diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 593be1ee68..5b56c77a2a 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -117,7 +117,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. 1.7.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. 1.7.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -1.7.0-dev,true,dns,dns.header_flags,keyword,extended,array,"['RD', 'RA']",Array of DNS header flags. +1.7.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. 1.7.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. 1.7.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. 1.7.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. @@ -126,7 +126,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. 1.7.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.7.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -1.7.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"['10.10.10.10', '10.10.10.11']",Array containing all IPs seen in answers.data +1.7.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data 1.7.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. 1.7.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." 1.7.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. @@ -362,7 +362,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. 1.7.0-dev,true,package,package.type,keyword,extended,,rpm,Package type 1.7.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version -1.7.0-dev,true,process,process.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. +1.7.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 1.7.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. 1.7.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. 1.7.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. @@ -381,7 +381,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. 1.7.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. 1.7.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. -1.7.0-dev,true,process,process.parent.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. +1.7.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 1.7.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 1.7.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. 1.7.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. @@ -447,7 +447,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. 1.7.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. 1.7.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. -1.7.0-dev,true,rule,rule.author,keyword,extended,array,['Star-Lord'],Rule author +1.7.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author 1.7.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category 1.7.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description 1.7.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID @@ -547,7 +547,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. 1.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. 1.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. 1.7.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. 1.7.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. 1.7.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. @@ -557,7 +557,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. 1.7.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. 1.7.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -1.7.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",Array of ciphers offered by the client during the client hello. +1.7.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. 1.7.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). 1.7.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. 1.7.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes @@ -587,7 +587,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. 1.7.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. 1.7.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -1.7.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +1.7.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. 1.7.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. 1.7.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. 1.7.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index c27228d794..43a72942f3 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1384,9 +1384,7 @@ dns.header_flags: description: 'Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO.' - example: - - RD - - RA + example: '["RD", "RA"]' flat_name: dns.header_flags ignore_above: 1024 level: extended @@ -1514,9 +1512,7 @@ dns.resolved_ip: it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.' - example: - - 10.10.10.10 - - 10.10.10.11 + example: '["10.10.10.10", "10.10.10.11"]' flat_name: dns.resolved_ip level: extended name: resolved_ip @@ -4777,11 +4773,7 @@ process.args: executable. May be filtered to protect sensitive information.' - example: - - /usr/bin/ssh - - -l - - user - - 10.0.0.16 + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' flat_name: process.args ignore_above: 1024 level: extended @@ -5007,11 +4999,7 @@ process.parent.args: executable. May be filtered to protect sensitive information.' - example: - - /usr/bin/ssh - - -l - - user - - 10.0.0.16 + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' flat_name: process.parent.args ignore_above: 1024 level: extended @@ -5778,8 +5766,7 @@ rule.author: dashed_name: rule-author description: Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. - example: - - Star-Lord + example: '["Star-Lord"]' flat_name: rule.author ignore_above: 1024 level: extended @@ -6998,9 +6985,7 @@ tls.client.certificate_chain: description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - example: - - MII... - - MII... + example: '["MII...", "MII..."]' flat_name: tls.client.certificate_chain ignore_above: 1024 level: extended @@ -7126,10 +7111,8 @@ tls.client.subject: tls.client.supported_ciphers: dashed_name: tls-client-supported-ciphers description: Array of ciphers offered by the client during the client hello. - example: - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - '...' + example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "..."]' flat_name: tls.client.supported_ciphers ignore_above: 1024 level: extended @@ -7508,9 +7491,7 @@ tls.server.certificate_chain: description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - example: - - MII... - - MII... + example: '["MII...", "MII..."]' flat_name: tls.server.certificate_chain ignore_above: 1024 level: extended diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 490b00eb74..c56839e37b 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1735,9 +1735,7 @@ dns: description: 'Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO.' - example: - - RD - - RA + example: '["RD", "RA"]' flat_name: dns.header_flags ignore_above: 1024 level: extended @@ -1866,9 +1864,7 @@ dns: formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.' - example: - - 10.10.10.10 - - 10.10.10.11 + example: '["10.10.10.10", "10.10.10.11"]' flat_name: dns.resolved_ip level: extended name: resolved_ip @@ -5824,11 +5820,7 @@ process: the executable. May be filtered to protect sensitive information.' - example: - - /usr/bin/ssh - - -l - - user - - 10.0.0.16 + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' flat_name: process.args ignore_above: 1024 level: extended @@ -6054,11 +6046,7 @@ process: the executable. May be filtered to protect sensitive information.' - example: - - /usr/bin/ssh - - -l - - user - - 10.0.0.16 + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' flat_name: process.parent.args ignore_above: 1024 level: extended @@ -6890,8 +6878,7 @@ rule: dashed_name: rule-author description: Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. - example: - - Star-Lord + example: '["Star-Lord"]' flat_name: rule.author ignore_above: 1024 level: extended @@ -8193,9 +8180,7 @@ tls: description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - example: - - MII... - - MII... + example: '["MII...", "MII..."]' flat_name: tls.client.certificate_chain ignore_above: 1024 level: extended @@ -8324,10 +8309,8 @@ tls: tls.client.supported_ciphers: dashed_name: tls-client-supported-ciphers description: Array of ciphers offered by the client during the client hello. - example: - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - '...' + example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "..."]' flat_name: tls.client.supported_ciphers ignore_above: 1024 level: extended @@ -8706,9 +8689,7 @@ tls: description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - example: - - MII... - - MII... + example: '["MII...", "MII..."]' flat_name: tls.server.certificate_chain ignore_above: 1024 level: extended diff --git a/schemas/README.md b/schemas/README.md index 9d1ac97696..c87be195a3 100644 --- a/schemas/README.md +++ b/schemas/README.md @@ -125,7 +125,9 @@ Supported keys to describe fields Defaults to the main description when absent. If the main description has multiple paragraphs, then a 'short' description with no newlines is required. -- example (optional): A single value example of what can be expected in this field +- example (optional): A single value example of what can be expected in this field. + Example values that are composite types (array, object) should be quoted to avoid YAML interpretation + in ECS-generated artifacts and other downstream projects depending on the schema. - multi\_fields (optional): Specify additional ways to index the field. - index (optional): If `False`, means field is not indexed (overrides type) - format: Field format that can be used in a Kibana index template. diff --git a/schemas/dns.yml b/schemas/dns.yml index 0c396a4a0f..afe11a190a 100644 --- a/schemas/dns.yml +++ b/schemas/dns.yml @@ -54,7 +54,7 @@ Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. - example: [RD, RA] + example: "[\"RD\", \"RA\"]" normalize: - array @@ -205,6 +205,6 @@ data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - example: [10.10.10.10, 10.10.10.11] + example: '["10.10.10.10", "10.10.10.11"]' normalize: - array diff --git a/schemas/process.yml b/schemas/process.yml index b8f1f4b11e..13ec63c07f 100644 --- a/schemas/process.yml +++ b/schemas/process.yml @@ -92,7 +92,7 @@ Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. - example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] + example: "[\"/usr/bin/ssh\", \"-l\", \"user\", \"10.0.0.16\"]" normalize: - array diff --git a/schemas/rule.yml b/schemas/rule.yml index a9f6966705..c0daf79892 100644 --- a/schemas/rule.yml +++ b/schemas/rule.yml @@ -88,7 +88,7 @@ description: > Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. - example: ['Star-Lord'] + example: "[\"Star-Lord\"]" normalize: - array diff --git a/schemas/tls.yml b/schemas/tls.yml index 569f09d54a..3ecacb041a 100644 --- a/schemas/tls.yml +++ b/schemas/tls.yml @@ -73,7 +73,7 @@ type: keyword level: extended description: Array of ciphers offered by the client during the client hello. - example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] + example: "[\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\", \"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\", \"...\"]" normalize: - array @@ -109,7 +109,7 @@ Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - example: ["MII...", "MII..."] + example: "[\"MII...\", \"MII...\"]" normalize: - array @@ -188,7 +188,7 @@ Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - example: ["MII...", "MII..."] + example: "[\"MII...\", \"MII...\"]" normalize: - array diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py index 5f62b2daac..5f15d459fe 100644 --- a/scripts/schema/cleaner.py +++ b/scripts/schema/cleaner.py @@ -169,6 +169,7 @@ def field_assertions_and_warnings(field): if not ecs_helpers.is_intermediate(field): # check short description length if in strict mode single_line_short_description(field, strict=strict_mode) + check_example_value(field, strict=strict_mode) if field['field_details']['level'] not in ACCEPTABLE_FIELD_LEVELS: msg = "Invalid level for field '{}'.\nValue: {}\nAcceptable values: {}".format( field['field_details']['name'], field['field_details']['level'], @@ -193,3 +194,18 @@ def single_line_short_description(schema_or_field, strict=True): raise ValueError(msg) else: ecs_helpers.strict_warning(msg) + + +def check_example_value(field, strict=True): + """ + Checks if value of the example field is of type list or dict. + Fails or warns (depending on strict mode) if so. + """ + example_value = field['field_details'].get('example', None) + if isinstance(example_value, (list, dict)): + name = field['field_details']['name'] + msg = f"Example value for field `{name}` contains an object or array which must be quoted to avoid YAML interpretation." + if strict: + raise ValueError(msg) + else: + ecs_helpers.strict_warning(msg) diff --git a/scripts/tests/unit/test_schema_cleaner.py b/scripts/tests/unit/test_schema_cleaner.py index 4c20fac01f..8298a32bb3 100644 --- a/scripts/tests/unit/test_schema_cleaner.py +++ b/scripts/tests/unit/test_schema_cleaner.py @@ -282,6 +282,64 @@ def test_multiline_short_description_warns_strict_disabled(self): except Exception: self.fail("cleaner.single_line_short_description() raised Exception unexpectedly.") + def test_field_example_value_is_object_raises(self): + field = { + 'field_details': { + 'name': 'test', + 'example': { + 'a': 'bob', + 'b': 'alice' + } + } + } + with self.assertRaisesRegex(ValueError, 'contains an object or array'): + cleaner.check_example_value(field) + + def test_field_example_value_is_array_raises(self): + field = { + 'field_details': { + 'name': 'test', + 'example': [ + 'bob', + 'alice' + ] + } + } + with self.assertRaisesRegex(ValueError, 'contains an object or array'): + cleaner.check_example_value(field) + + def test_example_field_value_is_object_warns_strict_disabled(self): + field = { + 'field_details': { + 'name': 'test', + 'example': { + 'a': 'bob', + 'b': 'alice' + } + } + } + try: + with self.assertWarnsRegex(UserWarning, 'contains an object or array'): + cleaner.check_example_value(field, strict=False) + except Exception: + self.fail("cleaner.check_example_value() raised Exception unexpectedly.") + + def test_example_field_value_is_array_warns_strict_disabled(self): + field = { + 'field_details': { + 'name': 'test', + 'example': [ + 'bob', + 'alice' + ] + } + } + try: + with self.assertWarnsRegex(UserWarning, 'contains an object or array'): + cleaner.check_example_value(field, strict=False) + except Exception: + self.fail("cleaner.check_example_value() raised Exception unexpectedly.") + def test_clean(self): '''A high level sanity test''' fields = self.schema_process() From 7633cb0c8f0f81f84c2b5f0e41f93cd1713d6c66 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 23 Sep 2020 17:04:46 -0500 Subject: [PATCH 13/90] [1.x] Add event category configuration (#963) (#977) --- CHANGELOG.next.md | 1 + docs/field-details.asciidoc | 2 +- docs/field-values.asciidoc | 15 +++++++++++++++ generated/ecs/ecs_flat.yml | 13 +++++++++++++ generated/ecs/ecs_nested.yml | 13 +++++++++++++ schemas/event.yml | 13 +++++++++++++ 6 files changed, 56 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index d366755da5..4242d8e467 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -20,6 +20,7 @@ Thanks, you're awesome :-) --> * Added Mime Type fields to HTTP request and response. #944 * Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951 +* Added `configuration` as an allowed `event.category`. #963 #### Improvements diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 2f06d7194d..773c61cce0 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1546,7 +1546,7 @@ Note: this field should contain an array of values. *Important*: The field value must be one of the following: -authentication, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, web +authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, web To learn more about when to use which value, visit the page <> diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index 4e4bb8a61e..1ef4b8e072 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -133,6 +133,7 @@ that will require subsequent breaking changes. *Allowed Values* * <> +* <> * <> * <> * <> @@ -157,6 +158,20 @@ Events in this category are related to the challenge and response process in whi start, end, info +[float] +[[ecs-event-category-configuration]] +==== configuration + +Events in the configuration category have to deal with creating, modifying, or deleting the settings or parameters of an application, process, or system. + +Example sources include security policy change logs, configuration auditing logging, and system integrity monitoring. + + +*Expected event types for category configuration:* + +access, change, creation, deletion, info + + [float] [[ecs-event-category-database]] ==== database diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 43a72942f3..64540cebfe 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1651,6 +1651,19 @@ event.category: - end - info name: authentication + - description: 'Events in the configuration category have to deal with creating, + modifying, or deleting the settings or parameters of an application, process, + or system. + + Example sources include security policy change logs, configuration auditing + logging, and system integrity monitoring.' + expected_event_types: + - access + - change + - creation + - deletion + - info + name: configuration - description: The database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from MS SQL, MySQL, diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index c56839e37b..ee213ac0c8 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2044,6 +2044,19 @@ event: - end - info name: authentication + - description: 'Events in the configuration category have to deal with creating, + modifying, or deleting the settings or parameters of an application, process, + or system. + + Example sources include security policy change logs, configuration auditing + logging, and system integrity monitoring.' + expected_event_types: + - access + - change + - creation + - deletion + - info + name: configuration - description: The database category denotes events and metrics relating to a data storage and retrieval system. Note that use of this category is not limited to relational database systems. Examples include event logs from diff --git a/schemas/event.yml b/schemas/event.yml index 74e99b99fe..6778790784 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -141,6 +141,19 @@ - start - end - info + - name: configuration + description: > + Events in the configuration category have to deal with creating, modifying, or + deleting the settings or parameters of an application, process, or system. + + Example sources include security policy change logs, configuration auditing logging, + and system integrity monitoring. + expected_event_types: + - access + - change + - creation + - deletion + - info - name: database description: > The database category denotes events and metrics relating to a data storage From 5b353fe4460f6a8b3ef30dc04e51dcb85561a839 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 24 Sep 2020 17:33:31 -0500 Subject: [PATCH 14/90] [1.x] Add normalizer multi-field capability (#971) (#978) Co-authored-by: Eric Beahan Co-authored-by: Madison Caldwell --- CHANGELOG.next.md | 1 + scripts/generators/beats.py | 2 +- scripts/generators/es_template.py | 7 +++++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 4242d8e467..406fce958c 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -40,6 +40,7 @@ Thanks, you're awesome :-) --> * Introduced `--strict` flag to perform stricter schema validation when running the generator script. #937 * Added check under `--strict` that ensures composite types in example fields are quoted. #966 +* Added `ignore_above` and `normalizer` support for keyword multi-fields. #971 #### Improvements diff --git a/scripts/generators/beats.py b/scripts/generators/beats.py index f77729732d..f305261407 100644 --- a/scripts/generators/beats.py +++ b/scripts/generators/beats.py @@ -35,7 +35,7 @@ def fieldset_field_array(source_fields, df_whitelist, fieldset_prefix): 'ignore_above', 'multi_fields', 'format', 'input_format', 'output_format', 'output_precision', 'description', 'example', 'enabled', 'index'] - multi_fields_allowed_keys = ['name', 'type', 'norms', 'default_field'] + multi_fields_allowed_keys = ['name', 'type', 'norms', 'default_field', 'normalizer', 'ignore_above'] fields = [] for nested_field_name in source_fields: diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py index 536e8d3315..5bf264a784 100644 --- a/scripts/generators/es_template.py +++ b/scripts/generators/es_template.py @@ -63,8 +63,11 @@ def entry_for(field): if 'multi_fields' in field: field_entry['fields'] = {} for mf in field['multi_fields']: - mf_entry = {'type': mf['type']} - if mf['type'] == 'text': + mf_type = mf['type'] + mf_entry = {'type': mf_type} + if mf_type == 'keyword': + ecs_helpers.dict_copy_existing_keys(mf, mf_entry, ['normalizer', 'ignore_above']) + elif mf_type == 'text': ecs_helpers.dict_copy_existing_keys(mf, mf_entry, ['norms']) field_entry['fields'][mf['name']] = mf_entry From c5ccecc21917a793a27ddcbb3f4eb91397ca86b2 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 29 Sep 2020 12:59:43 -0500 Subject: [PATCH 15/90] [1.x] Add mapping network event guidance doc (#969) (#983) --- CHANGELOG.next.md | 1 + docs/additional.asciidoc | 1 + docs/using-mapping-network-events.asciidoc | 267 +++++++++++++++++++++ docs/using.asciidoc | 6 +- 4 files changed, 274 insertions(+), 1 deletion(-) create mode 100644 docs/using-mapping-network-events.asciidoc diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 406fce958c..b3b73b8bda 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -25,6 +25,7 @@ Thanks, you're awesome :-) --> #### Improvements * Expanded field set definitions for `source.*` and `destination.*`. #967 +* Provided better guidance for mapping network events. #969 #### Deprecated diff --git a/docs/additional.asciidoc b/docs/additional.asciidoc index d42bcfbeec..a39747cac8 100644 --- a/docs/additional.asciidoc +++ b/docs/additional.asciidoc @@ -2,6 +2,7 @@ == Additional Information * <> +* <> * <> * <> diff --git a/docs/using-mapping-network-events.asciidoc b/docs/using-mapping-network-events.asciidoc new file mode 100644 index 0000000000..90986f6a2f --- /dev/null +++ b/docs/using-mapping-network-events.asciidoc @@ -0,0 +1,267 @@ +[[ecs-mapping-network-events]] +=== Mapping Network Events + +Network events capture the details of one device communicating with another. The initiator is referred to as the source, and the recipient as the destination. Depending on the data source, a network event can contain details of addresses, protocols, headers, and device roles. + +This guide describes the different field sets available for network-related events in ECS and provides direction on the ECS best practices for mapping to them. + +[float] +==== Source and destination baseline + +When an event contains details about the sending and receiving hosts, the baseline for capturing these values will be the <> and <> fields. + +Some events may also indicate each host's role in the exchange: client or server. When this information is available, the <> and <> fields should be used _in addition to_ the `source` and `destination` fields. The fields and values mapped under `source`/`destination` should be copied under `client`/`server`. + +[float] +==== Network event mapping example + +Below is a DNS network event. The source device (`192.168.86.222`) makes a DNS query, acting as the client and the DNS server is the destination (`192.168.86.1`). + +Note this event contains additional details that would populate additional fields (such as the <>) if this was a complete mapping example. These additional fields are omitted here to focus on the network details. + +[source,json] +---- +{ + "ts":1599775747.53056, + "uid":"CYqFPH3nOAa0kPxA0d", + "id.orig_h":"192.168.86.222", + "id.orig_p":54162, + "id.resp_h":"192.168.86.1", + "id.resp_p":53, + "proto":"udp", + "trans_id":28899, + "rtt":0.02272200584411621, + "query":"example.com", + "qclass":1, + "qclass_name":"C_INTERNET", + "qtype":1, + "qtype_name":"A", + "rcode":0, + "rcode_name":"NOERROR", + "AA":false, + "TC":false, + "RD":true, + "RA":true, + "Z":0, + "answers":["93.184.216.34"], + "TTLs":[21209.0], + "rejected":false +} +---- + +[float] +==== Source and destination fields + +First, the `source.*` and `destination.*` field sets are populated: + +[source,json] +---- + "source": { + "ip": "192.168.86.222", + "port": 54162 + } +---- + +[source,json] +---- + "destination": { + "ip": "192.168.86.1", + "port": 53 + } +---- + +[float] +==== Client and server fields + +Looking back at the original event, it shows the source device is the DNS client and the destination device is the DNS server. The values mapped under `source` and `destination` are copied and mapped under `client` and `server`, respectively: + +[source,json] +---- + "client": { + "ip": "192.168.86.222", + "port": 64734 + } +---- + +[source,json] +---- + "server": { + "ip": "192.168.86.1", + "port": 53 + } +---- + +Mapping both pairs of field sets gives query visibility of the same network transaction in two ways. + +* `source.ip:192.168.86.222` returns all events sourced from `192.168.86.222`, regardless its role in a transaction +* `client.ip:192.168.86.222` returns all events with host `192.168.86.222` acting as a client + +The same applies for the `destination` and `server` fields: + +* `destination.ip:192.168.86.1` returns all events destined to `192.168.86.1` +* `server.ip:192.168.86.1` returns all events with `192.168.86.1` acting as the server + +It's important to note that while the values for the `source` and `destination` fields may reverse between events in a single network transaction, the values for `client` and `server` typically will not. The following two tables demonstrate how two DNS transactions involving two clients and one server would map to `source.ip`/`destination.ip` vs. `client.ip`/`server.ip`: + +[options="header"] +.Source/Destination +|===== +| source.ip | destination.ip | event + +// =============================================================== + +| 192.168.86.222 +| 192.168.86.1 +| DNS query request 1 + +// =============================================================== + +| 192.168.86.1 +| 192.168.86.222 +| DNS answer response 1 + +// =============================================================== + +| 192.168.86.42 +| 192.168.86.1 +| DNS answer request 2 + +// =============================================================== + +| 192.168.86.1 +| 192.168.86.42 +| DNS answer request 2 + +|===== + +[options="header"] +.Client/Server +|===== +| client.ip | server.ip | event + +// =============================================================== + +| 192.168.86.222 +| 192.168.86.1 +| DNS query request 1 + +// =============================================================== + +| 192.168.86.222 +| 192.168.86.1 +| DNS answer response 1 + +// =============================================================== + +| 192.168.86.42 +| 192.168.86.1 +| DNS query request 2 + +// =============================================================== + +| 192.168.86.42 +| 192.168.86.1 +| DNS answer response 2 + +|===== + +[float] +==== Related fields + +The `related.ip` field captures all the IPs present in the event in a single array: + +[source,json] +---- + "related": { + "ip": [ + "192.168.86.222", + "192.168.86.1", + "93.184.216.34" + ] + } +---- + +The <> are meant to facilitate pivoting. Since these IP addresses can appear in many different fields (`source.ip`, `destination.ip`, `client.ip`, `server.ip`, etc.), you can search for the IP trivially no matter what field it appears using a single query, e.g. `related.ip:192.168.86.222`. + +Network events are not only limited to using `related.ip`. If hostnames or other host identifiers were present in the event, `related.hosts` should be populated too. + +[float] +==== Categorization using event fields + +When considering the <>, the `category` and `type` fields are populated using their respective allowed values which best classify the source network event. + +[source,json] +---- + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol" + ], + "kind": "event" + } +---- + +Most <>/<> ECS pairings are complete on their own. However, the pairing of `event.category:network` and `event.type:protocol` is an exception. When these two fields/value pairs both used to categorize an event, the `network.protocol` field should also be populated: + +[source,json] +---- + "network": { + "protocol": "dns", + "type": "ipv4", + "transport": "udp" + } +---- + +[float] +==== Result + +Putting everything together covered so far, we have a final ECS-mapped event: + +[source,json] +---- +{ + "event": { + "category": [ + "network" + ], + "type": [ + "connection", + "protocol" + ], + "kind": "event" + }, + "network": { + "protocol": "dns", + "type": "ipv4", + "transport": "udp" + }, + "source": { + "ip": "192.168.86.222", + "port": 54162 + }, + "destination": { + "ip": "192.168.86.1", + "port": 53 + }, + "client": { + "ip": "192.168.86.222", + "port": 64734 + }, + "server": { + "ip": "192.168.86.1", + "port": 53 + }, + "related": { + "ip": [ + "192.168.86.222", + "192.168.86.1", + "93.184.216.34" + ] + }, + "dns": { ... }, <= Again, not diving into the DNS fields here but included for completeness. + "zeek": { "ts":1599775747.53056, ... } <= Original fields can optionally be kept around as custom fields. +} +---- diff --git a/docs/using.asciidoc b/docs/using.asciidoc index fbce72bb27..e5d2358289 100644 --- a/docs/using.asciidoc +++ b/docs/using.asciidoc @@ -8,13 +8,17 @@ If you're new to ECS and would like an introduction on implementing and using the schema, check out the <> guide. Whether you're trying to recall a field name, implementing a solution that -follows ECS, or proposing a change to the schema, the <> and +follows ECS, or proposing a change to the schema, the <> and <> will help get you there. If you're wondering how to best capture event details that don't map to existing ECS fields, head over to <>. +<> provides a detailed walk-through of how to best map and +categorize an example network event to the schema. + include::using-getting-started.asciidoc[][] include::using-guidelines.asciidoc[] include::using-conventions.asciidoc[] include::using-custom-fields.asciidoc[] +include::using-mapping-network-events.asciidoc[] From 7897203355576fdd2495207d0a6165b3194f5121 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 29 Sep 2020 13:10:25 -0500 Subject: [PATCH 16/90] [1.x] Removing unneeded link under `Additional Information` (#984) (#985) --- docs/additional.asciidoc | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/additional.asciidoc b/docs/additional.asciidoc index a39747cac8..d42bcfbeec 100644 --- a/docs/additional.asciidoc +++ b/docs/additional.asciidoc @@ -2,7 +2,6 @@ == Additional Information * <> -* <> * <> * <> From 23abff61d0a81665abfe985374d29aa1e6b15574 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 30 Sep 2020 16:25:56 -0500 Subject: [PATCH 17/90] [1.x] Add discrete attribute to field details page headers (#989) (#990) --- CHANGELOG.next.md | 1 + docs/field-details.asciidoc | 79 ++++++++++++++++++++++++++++++ scripts/templates/field_details.j2 | 3 ++ 3 files changed, 83 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index b3b73b8bda..54ae430335 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -46,6 +46,7 @@ Thanks, you're awesome :-) --> #### Improvements * Field details Jinja2 template components have been consolidated into one template #897 +* Add `[discrete]` marker before each section header in field details. #989 #### Deprecated diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 773c61cce0..d13a5896c5 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3,6 +3,7 @@ The `base` field set contains all fields which are at the root of the events. These fields are common across all types of events. +[discrete] ==== Base Field Details [options="header"] @@ -89,6 +90,7 @@ The agent fields contain the data about the software entity, if any, that collec Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +[discrete] ==== Agent Field Details [options="header"] @@ -194,6 +196,7 @@ example: `6.0.0-rc2` An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. +[discrete] ==== Autonomous System Field Details [options="header"] @@ -236,6 +239,7 @@ example: `Google LLC` |===== +[discrete] ==== Field Reuse The `as` fields are expected to be nested at: `client.as`, `destination.as`, `server.as`, `source.as`. @@ -254,6 +258,7 @@ For TCP events, the client is the initiator of the TCP connection that sends the Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +[discrete] ==== Client Field Details [options="header"] @@ -419,12 +424,14 @@ example: `co.uk` |===== +[discrete] ==== Field Reuse [[ecs-client-nestings]] +[discrete] ===== Field sets that can be nested under Client [options="header"] @@ -459,6 +466,7 @@ example: `co.uk` Fields related to the cloud or infrastructure the events are coming from. +[discrete] ==== Cloud Field Details [options="header"] @@ -612,6 +620,7 @@ example: `us-east-1` These fields contain information about binary code signatures. +[discrete] ==== Code Signature Field Details [options="header"] @@ -693,6 +702,7 @@ example: `true` |===== +[discrete] ==== Field Reuse The `code_signature` fields are expected to be nested at: `dll.code_signature`, `file.code_signature`, `process.code_signature`. @@ -709,6 +719,7 @@ Container fields are used for meta information about the specific container that These fields help correlate data based containers from any runtime. +[discrete] ==== Container Field Details [options="header"] @@ -807,6 +818,7 @@ Destination fields capture details about the receiver of a network exchange/pack Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +[discrete] ==== Destination Field Details [options="header"] @@ -972,12 +984,14 @@ example: `co.uk` |===== +[discrete] ==== Field Reuse [[ecs-destination-nestings]] +[discrete] ===== Field sets that can be nested under Destination [options="header"] @@ -1022,6 +1036,7 @@ Many operating systems refer to "shared code libraries" with different names, bu * Dynamic library (`.dylib`) commonly used on macOS +[discrete] ==== DLL Field Details [options="header"] @@ -1060,12 +1075,14 @@ example: `C:\Windows\System32\kernel32.dll` |===== +[discrete] ==== Field Reuse [[ecs-dll-nestings]] +[discrete] ===== Field sets that can be nested under DLL [options="header"] @@ -1102,6 +1119,7 @@ Fields describing DNS queries and answers. DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). +[discrete] ==== DNS Field Details [options="header"] @@ -1386,6 +1404,7 @@ example: `answer` Meta-information specific to ECS. +[discrete] ==== ECS Field Details [options="header"] @@ -1418,6 +1437,7 @@ These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. +[discrete] ==== Error Field Details [options="header"] @@ -1506,6 +1526,7 @@ The event fields are used for context information about the log or metric event A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. +[discrete] ==== Event Field Details [options="header"] @@ -1944,6 +1965,7 @@ A file is defined as a set of information that has been created on, or has exist File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +[discrete] ==== File Field Details [options="header"] @@ -2254,12 +2276,14 @@ example: `1001` |===== +[discrete] ==== Field Reuse [[ecs-file-nestings]] +[discrete] ===== Field sets that can be nested under File [options="header"] @@ -2302,6 +2326,7 @@ Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +[discrete] ==== Geo Field Details [options="header"] @@ -2420,6 +2445,7 @@ example: `Quebec` |===== +[discrete] ==== Field Reuse The `geo` fields are expected to be nested at: `client.geo`, `destination.geo`, `host.geo`, `observer.geo`, `server.geo`, `source.geo`. @@ -2434,6 +2460,7 @@ Note also that the `geo` fields are not expected to be used directly at the root The group fields are meant to represent groups that are relevant to the event. +[discrete] ==== Group Field Details [options="header"] @@ -2485,6 +2512,7 @@ type: keyword |===== +[discrete] ==== Field Reuse The `group` fields are expected to be nested at: `user.group`. @@ -2501,6 +2529,7 @@ The hash fields represent different hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +[discrete] ==== Hash Field Details [options="header"] @@ -2563,6 +2592,7 @@ type: keyword |===== +[discrete] ==== Field Reuse The `hash` fields are expected to be nested at: `dll.hash`, `file.hash`, `process.hash`. @@ -2579,6 +2609,7 @@ A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +[discrete] ==== Host Field Details [options="header"] @@ -2724,12 +2755,14 @@ example: `1325` |===== +[discrete] ==== Field Reuse [[ecs-host-nestings]] +[discrete] ===== Field sets that can be nested under Host [options="header"] @@ -2764,6 +2797,7 @@ example: `1325` Fields related to HTTP activity. Use the `url` field set to store the url of the request. +[discrete] ==== HTTP Field Details [options="header"] @@ -2957,6 +2991,7 @@ example: `1.1` The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. +[discrete] ==== Interface Field Details [options="header"] @@ -3006,6 +3041,7 @@ example: `eth0` |===== +[discrete] ==== Field Reuse The `interface` fields are expected to be nested at: `observer.egress.interface`, `observer.ingress.interface`. @@ -3024,6 +3060,7 @@ The log.* fields are typically populated with details about the logging mechanis The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +[discrete] ==== Log Field Details [options="header"] @@ -3230,6 +3267,7 @@ The network is defined as the communication path over which a host or network ev The network.* fields should be populated with details about the network activity associated with an event. +[discrete] ==== Network Field Details [options="header"] @@ -3428,12 +3466,14 @@ example: `ipv4` |===== +[discrete] ==== Field Reuse [[ecs-network-nestings]] +[discrete] ===== Field sets that can be nested under Network [options="header"] @@ -3464,6 +3504,7 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +[discrete] ==== Observer Field Details [options="header"] @@ -3655,12 +3696,14 @@ type: keyword |===== +[discrete] ==== Field Reuse [[ecs-observer-nestings]] +[discrete] ===== Field sets that can be nested under Observer [options="header"] @@ -3715,6 +3758,7 @@ The organization fields enrich data with information about the company or entity These fields help you arrange or filter data stored in an index by one or multiple organizations. +[discrete] ==== Organization Field Details [options="header"] @@ -3762,6 +3806,7 @@ Multi-fields: The OS fields contain information about the operating system. +[discrete] ==== Operating System Field Details [options="header"] @@ -3862,6 +3907,7 @@ example: `10.14.1` |===== +[discrete] ==== Field Reuse The `os` fields are expected to be nested at: `host.os`, `observer.os`, `user_agent.os`. @@ -3876,6 +3922,7 @@ Note also that the `os` fields are not expected to be used directly at the root These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. +[discrete] ==== Package Field Details [options="header"] @@ -4066,6 +4113,7 @@ example: `1.12.9` These fields contain Windows Portable Executable (PE) metadata. +[discrete] ==== PE Header Field Details [options="header"] @@ -4169,6 +4217,7 @@ example: `Microsoft® Windows® Operating System` |===== +[discrete] ==== Field Reuse The `pe` fields are expected to be nested at: `dll.pe`, `file.pe`, `process.pe`. @@ -4185,6 +4234,7 @@ These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. +[discrete] ==== Process Field Details [options="header"] @@ -4452,6 +4502,7 @@ example: `/home/alice` |===== +[discrete] ==== Field Reuse The `process` fields are expected to be nested at: `process.parent`. @@ -4462,6 +4513,7 @@ Note also that the `process` fields may be used directly at the root of the even [[ecs-process-nestings]] +[discrete] ===== Field sets that can be nested under Process [options="header"] @@ -4502,6 +4554,7 @@ Note also that the `process` fields may be used directly at the root of the even Fields related to Windows Registry operations. +[discrete] ==== Registry Field Details [options="header"] @@ -4619,6 +4672,7 @@ Some pieces of information can be seen in many places in an ECS event. To facili A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. +[discrete] ==== Related Field Details [options="header"] @@ -4700,6 +4754,7 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +[discrete] ==== Rule Field Details [options="header"] @@ -4854,6 +4909,7 @@ For TCP events, the server is the receiver of the initial SYN packet(s) of the T Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +[discrete] ==== Server Field Details [options="header"] @@ -5019,12 +5075,14 @@ example: `co.uk` |===== +[discrete] ==== Field Reuse [[ecs-server-nestings]] +[discrete] ===== Field sets that can be nested under Server [options="header"] @@ -5061,6 +5119,7 @@ The service fields describe the service for or from which the data was collected These fields help you find and correlate logs for a specific service and version. +[discrete] ==== Service Field Details [options="header"] @@ -5189,6 +5248,7 @@ Source fields capture details about the sender of a network exchange/packet. The Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. +[discrete] ==== Source Field Details [options="header"] @@ -5354,12 +5414,14 @@ example: `co.uk` |===== +[discrete] ==== Field Reuse [[ecs-source-nestings]] +[discrete] ===== Field sets that can be nested under Source [options="header"] @@ -5396,6 +5458,7 @@ Fields to classify events and alerts according to a threat taxonomy such as the These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). +[discrete] ==== Threat Field Details [options="header"] @@ -5580,6 +5643,7 @@ example: `https://attack.mitre.org/techniques/T1059/001/` Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. +[discrete] ==== TLS Field Details [options="header"] @@ -5976,12 +6040,14 @@ example: `tls` |===== +[discrete] ==== Field Reuse [[ecs-tls-nestings]] +[discrete] ===== Field sets that can be nested under TLS [options="header"] @@ -6010,6 +6076,7 @@ example: `tls` Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. +[discrete] ==== Tracing Field Details [options="header"] @@ -6070,6 +6137,7 @@ example: `00f067aa0ba902b7` URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +[discrete] ==== URL Field Details [options="header"] @@ -6290,6 +6358,7 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +[discrete] ==== User Field Details [options="header"] @@ -6410,6 +6479,7 @@ example: `["kibana_admin", "reporting_user"]` |===== +[discrete] ==== Field Reuse The `user` fields are expected to be nested at: `client.user`, `destination.user`, `host.user`, `server.user`, `source.user`. @@ -6420,6 +6490,7 @@ Note also that the `user` fields may be used directly at the root of the events. [[ecs-user-nestings]] +[discrete] ===== Field sets that can be nested under User [options="header"] @@ -6444,6 +6515,7 @@ The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. +[discrete] ==== User agent Field Details [options="header"] @@ -6512,12 +6584,14 @@ example: `12.0` |===== +[discrete] ==== Field Reuse [[ecs-user_agent-nestings]] +[discrete] ===== Field sets that can be nested under User agent [options="header"] @@ -6546,6 +6620,7 @@ Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. +[discrete] ==== VLAN Field Details [options="header"] @@ -6582,6 +6657,7 @@ example: `outside` |===== +[discrete] ==== Field Reuse The `vlan` fields are expected to be nested at: `network.inner.vlan`, `network.vlan`, `observer.egress.vlan`, `observer.ingress.vlan`. @@ -6596,6 +6672,7 @@ Note also that the `vlan` fields are not expected to be used directly at the roo The vulnerability fields describe information about a vulnerability that is relevant to an event. +[discrete] ==== Vulnerability Field Details [options="header"] @@ -6799,6 +6876,7 @@ example: `Critical` This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). +[discrete] ==== x509 Certificate Field Details [options="header"] @@ -7160,6 +7238,7 @@ example: `3` |===== +[discrete] ==== Field Reuse The `x509` fields are expected to be nested at: `file.x509`, `tls.client.x509`, `tls.server.x509`. diff --git a/scripts/templates/field_details.j2 b/scripts/templates/field_details.j2 index 0b1bb6e224..1ceedf55e0 100644 --- a/scripts/templates/field_details.j2 +++ b/scripts/templates/field_details.j2 @@ -5,6 +5,7 @@ {{ fieldset['description']|replace("\n", "\n\n") }} {# Field Details Table Header -#} +[discrete] ==== {{ fieldset['title'] }} Field Details [options="header"] @@ -67,6 +68,7 @@ example: `{{ field['example'] }}` {# do we have `nestings` or `reusable` sections to worry about? -#} {% if 'nestings' in fieldset or 'reusable' in fieldset -%} +[discrete] ==== Field Reuse {% if 'reusable' in fieldset -%} @@ -88,6 +90,7 @@ Note also that the `{{ fieldset['name'] }}` fields are not expected to be used d {% if 'nestings' in fieldset -%} [[ecs-{{ fieldset['name'] }}-nestings]] +[discrete] ===== Field sets that can be nested under {{ fieldset['title'] }} [options="header"] From e086abbfb095b9531aadab6066c5089c991d97ad Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Fri, 2 Oct 2020 15:04:45 -0500 Subject: [PATCH 18/90] [1.x] Uniformity across domain name breakdown fields (#981) (#994) Co-authored-by: Mathieu Martin --- CHANGELOG.next.md | 1 + code/go/ecs/client.go | 11 +++ code/go/ecs/destination.go | 11 +++ code/go/ecs/server.go | 11 +++ code/go/ecs/source.go | 11 +++ code/go/ecs/url.go | 11 +++ docs/field-details.asciidoc | 75 +++++++++++++++++++++ generated/beats/fields.ecs.yml | 70 +++++++++++++++++++ generated/csv/fields.csv | 5 ++ generated/ecs/ecs_flat.yml | 90 +++++++++++++++++++++++++ generated/ecs/ecs_nested.yml | 90 +++++++++++++++++++++++++ generated/elasticsearch/6/template.json | 20 ++++++ generated/elasticsearch/7/template.json | 20 ++++++ schemas/client.yml | 15 +++++ schemas/destination.yml | 15 +++++ schemas/server.yml | 15 +++++ schemas/source.yml | 15 +++++ schemas/url.yml | 15 +++++ 18 files changed, 501 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 54ae430335..6d9738be17 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -26,6 +26,7 @@ Thanks, you're awesome :-) --> * Expanded field set definitions for `source.*` and `destination.*`. #967 * Provided better guidance for mapping network events. #969 +* Added the field `.subdomain` under `client`, `destination`, `server`, `source` and `url`, to match its presence at `dns.question.subdomain`. #981 #### Deprecated diff --git a/code/go/ecs/client.go b/code/go/ecs/client.go index 2e11982755..9c6336d4bf 100644 --- a/code/go/ecs/client.go +++ b/code/go/ecs/client.go @@ -70,6 +70,17 @@ type Client struct { // as "co.uk". TopLevelDomain string `ecs:"top_level_domain"` + // The subdomain portion of a fully qualified domain name includes all of + // the names except the host name under the registered_domain. In a + // partially qualified domain, or if the the qualification level of the + // full name cannot be determined, subdomain contains all of the names + // below the registered domain. + // For example the subdomain portion of "www.east.mydomain.co.uk" is + // "east". If the domain has multiple levels of subdomain, such as + // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", + // with no trailing period. + Subdomain string `ecs:"subdomain"` + // Bytes sent from the client to the server. Bytes int64 `ecs:"bytes"` diff --git a/code/go/ecs/destination.go b/code/go/ecs/destination.go index e3417e5bb9..1985e8720b 100644 --- a/code/go/ecs/destination.go +++ b/code/go/ecs/destination.go @@ -66,6 +66,17 @@ type Destination struct { // as "co.uk". TopLevelDomain string `ecs:"top_level_domain"` + // The subdomain portion of a fully qualified domain name includes all of + // the names except the host name under the registered_domain. In a + // partially qualified domain, or if the the qualification level of the + // full name cannot be determined, subdomain contains all of the names + // below the registered domain. + // For example the subdomain portion of "www.east.mydomain.co.uk" is + // "east". If the domain has multiple levels of subdomain, such as + // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", + // with no trailing period. + Subdomain string `ecs:"subdomain"` + // Bytes sent from the destination to the source. Bytes int64 `ecs:"bytes"` diff --git a/code/go/ecs/server.go b/code/go/ecs/server.go index 74253bbb72..bc395a115c 100644 --- a/code/go/ecs/server.go +++ b/code/go/ecs/server.go @@ -70,6 +70,17 @@ type Server struct { // as "co.uk". TopLevelDomain string `ecs:"top_level_domain"` + // The subdomain portion of a fully qualified domain name includes all of + // the names except the host name under the registered_domain. In a + // partially qualified domain, or if the the qualification level of the + // full name cannot be determined, subdomain contains all of the names + // below the registered domain. + // For example the subdomain portion of "www.east.mydomain.co.uk" is + // "east". If the domain has multiple levels of subdomain, such as + // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", + // with no trailing period. + Subdomain string `ecs:"subdomain"` + // Bytes sent from the server to the client. Bytes int64 `ecs:"bytes"` diff --git a/code/go/ecs/source.go b/code/go/ecs/source.go index f8ab84d581..3e4becbbbd 100644 --- a/code/go/ecs/source.go +++ b/code/go/ecs/source.go @@ -66,6 +66,17 @@ type Source struct { // as "co.uk". TopLevelDomain string `ecs:"top_level_domain"` + // The subdomain portion of a fully qualified domain name includes all of + // the names except the host name under the registered_domain. In a + // partially qualified domain, or if the the qualification level of the + // full name cannot be determined, subdomain contains all of the names + // below the registered domain. + // For example the subdomain portion of "www.east.mydomain.co.uk" is + // "east". If the domain has multiple levels of subdomain, such as + // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", + // with no trailing period. + Subdomain string `ecs:"subdomain"` + // Bytes sent from the source to the destination. Bytes int64 `ecs:"bytes"` diff --git a/code/go/ecs/url.go b/code/go/ecs/url.go index 7afac8f4ba..6c1ac3be75 100644 --- a/code/go/ecs/url.go +++ b/code/go/ecs/url.go @@ -62,6 +62,17 @@ type Url struct { // as "co.uk". TopLevelDomain string `ecs:"top_level_domain"` + // The subdomain portion of a fully qualified domain name includes all of + // the names except the host name under the registered_domain. In a + // partially qualified domain, or if the the qualification level of the + // full name cannot be determined, subdomain contains all of the names + // below the registered domain. + // For example the subdomain portion of "www.east.mydomain.co.uk" is + // "east". If the domain has multiple levels of subdomain, such as + // "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", + // with no trailing period. + Subdomain string `ecs:"subdomain"` + // Port of the request, such as 443. Port int64 `ecs:"port"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index d13a5896c5..b716165642 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -407,6 +407,21 @@ example: `example.com` // =============================================================== +| client.subdomain +| The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + + + +example: `east` + +| extended + +// =============================================================== + | client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -967,6 +982,21 @@ example: `example.com` // =============================================================== +| destination.subdomain +| The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + + + +example: `east` + +| extended + +// =============================================================== + | destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -5058,6 +5088,21 @@ example: `example.com` // =============================================================== +| server.subdomain +| The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + + + +example: `east` + +| extended + +// =============================================================== + | server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -5397,6 +5442,21 @@ example: `example.com` // =============================================================== +| source.subdomain +| The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + + + +example: `east` + +| extended + +// =============================================================== + | source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -6321,6 +6381,21 @@ example: `https` // =============================================================== +| url.subdomain +| The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + +For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + +type: keyword + + + +example: `east` + +| extended + +// =============================================================== + | url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 573abe8499..150ee1d911 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -302,6 +302,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -709,6 +723,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -4105,6 +4133,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -4427,6 +4469,20 @@ list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword @@ -5337,6 +5393,20 @@ Note: The `:` is not part of the scheme.' example: https + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false - name: top_level_domain level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 5b56c77a2a..baa380bfb8 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -30,6 +30,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. 1.7.0-dev,true,client,client.port,long,core,,,Port of the client. 1.7.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +1.7.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. 1.7.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.7.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. 1.7.0-dev,true,client,client.user.email,keyword,extended,,,User email address. @@ -80,6 +81,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. 1.7.0-dev,true,destination,destination.port,long,core,,,Port of the destination. 1.7.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +1.7.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. 1.7.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.7.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. 1.7.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address. @@ -478,6 +480,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. 1.7.0-dev,true,server,server.port,long,core,,,Port of the server. 1.7.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +1.7.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. 1.7.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.7.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. 1.7.0-dev,true,server,server.user.email,keyword,extended,,,User email address. @@ -519,6 +522,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. 1.7.0-dev,true,source,source.port,long,core,,,Port of the source. 1.7.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +1.7.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. 1.7.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.7.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. 1.7.0-dev,true,source,source.user.email,keyword,extended,,,User email address. @@ -637,6 +641,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. 1.7.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." 1.7.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +1.7.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. 1.7.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.7.0-dev,true,url,url.username,keyword,extended,,,Username of the request. 1.7.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 64540cebfe..a209023534 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -348,6 +348,24 @@ client.registered_domain: normalize: [] short: The highest registered client domain, stripped of the subdomain. type: keyword +client.subdomain: + dashed_name: client-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: client.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword client.top_level_domain: dashed_name: client-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -925,6 +943,24 @@ destination.registered_domain: normalize: [] short: The highest registered destination domain, stripped of the subdomain. type: keyword +destination.subdomain: + dashed_name: destination-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: destination.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword destination.top_level_domain: dashed_name: destination-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -6144,6 +6180,24 @@ server.registered_domain: normalize: [] short: The highest registered server domain, stripped of the subdomain. type: keyword +server.subdomain: + dashed_name: server-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: server.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword server.top_level_domain: dashed_name: server-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -6652,6 +6706,24 @@ source.registered_domain: normalize: [] short: The highest registered source domain, stripped of the subdomain. type: keyword +source.subdomain: + dashed_name: source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword source.top_level_domain: dashed_name: source-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, @@ -8124,6 +8196,24 @@ url.scheme: normalize: [] short: Scheme of the url. type: keyword +url.subdomain: + dashed_name: url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword url.top_level_domain: dashed_name: url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index ee213ac0c8..2189a64503 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -494,6 +494,24 @@ client: normalize: [] short: The highest registered client domain, stripped of the subdomain. type: keyword + client.subdomain: + dashed_name: client-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: client.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword client.top_level_domain: dashed_name: client-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -1213,6 +1231,24 @@ destination: normalize: [] short: The highest registered destination domain, stripped of the subdomain. type: keyword + destination.subdomain: + dashed_name: destination-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: destination.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword destination.top_level_domain: dashed_name: destination-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -7281,6 +7317,24 @@ server: normalize: [] short: The highest registered server domain, stripped of the subdomain. type: keyword + server.subdomain: + dashed_name: server-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: server.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword server.top_level_domain: dashed_name: server-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -7833,6 +7887,24 @@ source: normalize: [] short: The highest registered source domain, stripped of the subdomain. type: keyword + source.subdomain: + dashed_name: source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword source.top_level_domain: dashed_name: source-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain @@ -9374,6 +9446,24 @@ url: normalize: [] short: Scheme of the url. type: keyword + url.subdomain: + dashed_name: url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword url.top_level_domain: dashed_name: url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index b16d3576ce..493159d4b3 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -151,6 +151,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -404,6 +408,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -2254,6 +2262,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -2452,6 +2464,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -3013,6 +3029,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 08071d1b91..b63f3af1c7 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -150,6 +150,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -403,6 +407,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -2253,6 +2261,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -2451,6 +2463,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -3012,6 +3028,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" diff --git a/schemas/client.yml b/schemas/client.yml index ec6175f692..e63ab70276 100644 --- a/schemas/client.yml +++ b/schemas/client.yml @@ -85,6 +85,21 @@ simply taking the last label will not work well for effective TLDs such as "co.uk". example: co.uk + - name: subdomain + level: extended + type: keyword + short: The subdomain of the domain. + description: > + The subdomain portion of a fully qualified domain name includes all of the names except + the host name under the registered_domain. In a partially qualified domain, or if the + the qualification level of the full name cannot be determined, subdomain contains all of + the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period. + example: east + # Metrics - name: bytes format: bytes diff --git a/schemas/destination.yml b/schemas/destination.yml index 42d3e154d5..a1e91958f7 100644 --- a/schemas/destination.yml +++ b/schemas/destination.yml @@ -80,6 +80,21 @@ simply taking the last label will not work well for effective TLDs such as "co.uk". example: co.uk + - name: subdomain + level: extended + type: keyword + short: The subdomain of the domain. + description: > + The subdomain portion of a fully qualified domain name includes all of the names except + the host name under the registered_domain. In a partially qualified domain, or if the + the qualification level of the full name cannot be determined, subdomain contains all of + the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period. + example: east + # Metrics - name: bytes format: bytes diff --git a/schemas/server.yml b/schemas/server.yml index 19fee450be..867b3bd03c 100644 --- a/schemas/server.yml +++ b/schemas/server.yml @@ -85,6 +85,21 @@ simply taking the last label will not work well for effective TLDs such as "co.uk". example: co.uk + - name: subdomain + level: extended + type: keyword + short: The subdomain of the domain. + description: > + The subdomain portion of a fully qualified domain name includes all of the names except + the host name under the registered_domain. In a partially qualified domain, or if the + the qualification level of the full name cannot be determined, subdomain contains all of + the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period. + example: east + # Metrics - name: bytes format: bytes diff --git a/schemas/source.yml b/schemas/source.yml index 65539b3d60..268b975312 100644 --- a/schemas/source.yml +++ b/schemas/source.yml @@ -80,6 +80,21 @@ simply taking the last label will not work well for effective TLDs such as "co.uk". example: co.uk + - name: subdomain + level: extended + type: keyword + short: The subdomain of the domain. + description: > + The subdomain portion of a fully qualified domain name includes all of the names except + the host name under the registered_domain. In a partially qualified domain, or if the + the qualification level of the full name cannot be determined, subdomain contains all of + the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period. + example: east + # Metrics - name: bytes format: bytes diff --git a/schemas/url.yml b/schemas/url.yml index 6ae2b572f2..8a523fbc8d 100644 --- a/schemas/url.yml +++ b/schemas/url.yml @@ -88,6 +88,21 @@ simply taking the last label will not work well for effective TLDs such as "co.uk". example: co.uk + - name: subdomain + level: extended + type: keyword + short: The subdomain of the domain. + description: > + The subdomain portion of a fully qualified domain name includes all of the names except + the host name under the registered_domain. In a partially qualified domain, or if the + the qualification level of the full name cannot be determined, subdomain contains all of + the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period. + example: east + - name: port format: string level: extended From b9b1ba50c9400f4195b260dbb4e0253b18c012ee Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Fri, 2 Oct 2020 16:26:38 -0400 Subject: [PATCH 19/90] Add --oss flag to the ECS generator script (#991) (#995) --- CHANGELOG.next.md | 1 + USAGE.md | 27 ++++++++++++++++++++- scripts/generator.py | 14 +++++++---- scripts/schema/oss.py | 29 ++++++++++++++++++++++ scripts/tests/unit/test_schema_oss.py | 35 +++++++++++++++++++++++++++ 5 files changed, 100 insertions(+), 6 deletions(-) create mode 100644 scripts/schema/oss.py create mode 100644 scripts/tests/unit/test_schema_oss.py diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 6d9738be17..afd179c547 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -43,6 +43,7 @@ Thanks, you're awesome :-) --> * Introduced `--strict` flag to perform stricter schema validation when running the generator script. #937 * Added check under `--strict` that ensures composite types in example fields are quoted. #966 * Added `ignore_above` and `normalizer` support for keyword multi-fields. #971 +* Added `--oss` flag for users who want to generate ECS templates for use on OSS clusters. #991 #### Improvements diff --git a/USAGE.md b/USAGE.md index e70da6b14f..cb0c49bf27 100644 --- a/USAGE.md +++ b/USAGE.md @@ -29,6 +29,7 @@ relevant artifacts for their unique set of data sources. + [Subset](#subset) + [Ref](#ref) + [Mapping & Template Settings](#mapping--template-settings) + + [OSS](#oss) + [Strict Mode](#strict-mode) + [Intermediate-Only](#intermediate-only) @@ -295,6 +296,30 @@ The `--template-settings` argument defines [index level settings](https://www.el For `template.json`, the `mappings` object is left empty: `{}`. Likewise the `properties` object remains empty in the `mapping.json` example. This will be filled in automatically by the script. +#### OSS + +**IMPORTANT**: This feature is unnecessary for most users. Our default free distribution +comes with the Elastic Basic license, and supports all data types used by ECS. +Learn more about our licenses [here](https://www.elastic.co/subscriptions). + +Users that want to use the open source version of Elasticsearch do not have access to the basic data types. +However some of these types have an OSS replacement that can be used instead, without too much loss of functionality. + +This flag performs a best effort fallback, replacing basic data types with their OSS replacement. + +Indices using purely OSS types will benefit from the normalization of ECS, but may be missing on some of the added functionality of these basic types. + +Current fallbacks applied by this flag are: + +- `wildcard` => `keyword` +- `version` => `keyword` + +Usage: + +``` +$ python scripts/generator.py --oss +``` + #### Strict Mode The `--strict` argument enables "strict mode". Strict mode performs a stricter validation step against the schema's contents. @@ -302,7 +327,7 @@ The `--strict` argument enables "strict mode". Strict mode performs a stricter v Basic usage: ``` -$ python/generator.py --strict +$ python scripts/generator.py --strict ``` Strict mode requires the following conditions, else the script exits on an exception: diff --git a/scripts/generator.py b/scripts/generator.py index 733f4155fe..b6dcf05db9 100644 --- a/scripts/generator.py +++ b/scripts/generator.py @@ -12,6 +12,7 @@ from generators import intermediate_files from schema import loader +from schema import oss from schema import cleaner from schema import finalizer from schema import subset_filter @@ -41,6 +42,8 @@ def main(): # ecs_helpers.yaml_dump('ecs.yml', fields) fields = loader.load_schemas(ref=args.ref, included_files=args.include) + if args.oss: + oss.fallback(fields) cleaner.clean(fields, strict=args.strict) finalizer.finalize(fields) fields = subset_filter.filter(fields, args.subset, out_dir) @@ -60,20 +63,21 @@ def main(): def argument_parser(): parser = argparse.ArgumentParser() - parser.add_argument('--intermediate-only', action='store_true', - help='generate intermediary files only') + parser.add_argument('--ref', action='store', help='git reference to use when building schemas') parser.add_argument('--include', nargs='+', help='include user specified directory of custom field definitions') parser.add_argument('--subset', nargs='+', help='render a subset of the schema') - parser.add_argument('--out', action='store', help='directory to store the generated files') - parser.add_argument('--ref', action='store', help='git reference to use when building schemas') + parser.add_argument('--out', action='store', help='directory to output the generated files') parser.add_argument('--template-settings', action='store', help='index template settings to use when generating elasticsearch template') parser.add_argument('--mapping-settings', action='store', help='mapping settings to use when generating elasticsearch template') + parser.add_argument('--oss', action='store_true', help='replace basic data types with oss ones where possible') parser.add_argument('--strict', action='store_true', - help='enforce stricter checking at schema cleanup') + help='enforce strict checking at schema cleanup') + parser.add_argument('--intermediate-only', action='store_true', + help='generate intermediary files only') args = parser.parse_args() # Clean up empty include of the Makefile if args.include and [''] == args.include: diff --git a/scripts/schema/oss.py b/scripts/schema/oss.py new file mode 100644 index 0000000000..ba38a254b1 --- /dev/null +++ b/scripts/schema/oss.py @@ -0,0 +1,29 @@ +# This script performs a best effort fallback of basic data types to equivalent +# OSS data types. +# Note however that not all basic data types have an OSS replacement. +# +# The way this script is currently written, it has to be run on the fields *before* +# the cleaner script applies defaults, as there's no concept of defaults here. +# But since it navigates using the visitor script, it can easily be moved around +# in the chain, provided we add support for defaults as well. +# +# For now, no warning is output on basic fields that don't have a fallback. +# This could be improved if ECS starts using such types. + +from schema import visitor + +TYPE_FALLBACKS = { + 'wildcard': 'keyword', + 'version': 'keyword' +} + + +def fallback(fields): + """Verify all fields for basic data type usage, and fallback to an OSS equivalent if appropriate.""" + visitor.visit_fields(fields, field_func=perform_fallback) + + +def perform_fallback(field): + """Performs a best effort fallback of basic data types to equivalent OSS data types.""" + if field['field_details']['type'] in TYPE_FALLBACKS.keys(): + field['field_details']['type'] = TYPE_FALLBACKS[field['field_details']['type']] diff --git a/scripts/tests/unit/test_schema_oss.py b/scripts/tests/unit/test_schema_oss.py new file mode 100644 index 0000000000..4ac08d9d08 --- /dev/null +++ b/scripts/tests/unit/test_schema_oss.py @@ -0,0 +1,35 @@ +import os +import pprint +import sys +import unittest + +sys.path.append(os.path.join(os.path.dirname(__file__), '../..')) + +from schema import oss +from schema import visitor + + +class TestSchemaOss(unittest.TestCase): + + def setUp(self): + self.maxDiff = None + + def test_wildcard_fallback(self): + field = {'field_details': {'name': 'myfield', 'type': 'wildcard'}} + oss.perform_fallback(field) + self.assertEqual('keyword', field['field_details']['type']) + + def test_version_fallback(self): + field = {'field_details': {'name': 'myfield', 'type': 'version'}} + oss.perform_fallback(field) + self.assertEqual('keyword', field['field_details']['type']) + + def test_basic_without_fallback(self): + field = {'field_details': {'name': 'myfield', 'type': 'histogram'}} + oss.perform_fallback(field) + self.assertEqual('histogram', field['field_details']['type']) + + def test_oss_no_fallback(self): + field = {'field_details': {'name': 'myfield', 'type': 'keyword'}} + oss.perform_fallback(field) + self.assertEqual('keyword', field['field_details']['type']) From d8471847336d9885cf5dfda1350c9a77212ca2d4 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Fri, 2 Oct 2020 17:04:51 -0400 Subject: [PATCH 20/90] Add network directions ingress and egress (#945) (#997) --- CHANGELOG.next.md | 1 + code/go/ecs/network.go | 23 ++++++++++++++++------- docs/field-details.asciidoc | 12 +++++++++--- generated/beats/fields.ecs.yml | 20 +++++++++++++------- generated/ecs/ecs_flat.yml | 20 +++++++++++++------- generated/ecs/ecs_nested.yml | 20 +++++++++++++------- schemas/network.yml | 19 ++++++++++++++----- 7 files changed, 79 insertions(+), 36 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index afd179c547..417377de00 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -21,6 +21,7 @@ Thanks, you're awesome :-) --> * Added Mime Type fields to HTTP request and response. #944 * Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951 * Added `configuration` as an allowed `event.category`. #963 +* Added network directions ingress and egress. #945 #### Improvements diff --git a/code/go/ecs/network.go b/code/go/ecs/network.go index e47d15abd2..a696a4e419 100644 --- a/code/go/ecs/network.go +++ b/code/go/ecs/network.go @@ -61,6 +61,8 @@ type Network struct { // Direction of the network traffic. // Recommended values are: + // * ingress + // * egress // * inbound // * outbound // * internal @@ -68,10 +70,17 @@ type Network struct { // * unknown // // When mapping events from a host-based monitoring context, populate this - // field from the host's point of view. + // field from the host's point of view, using the values "ingress" or + // "egress". // When mapping events from a network or perimeter-based monitoring - // context, populate this field from the point of view of your network - // perimeter. + // context, populate this field from the point of view of the network + // perimeter, using the values "inbound", "outbound", "internal" or + // "external". + // Note that "internal" is not crossing perimeter boundaries, and is meant + // to describe communication between two hosts within the perimeter. Note + // also that "external" is meant to describe traffic between two hosts that + // are external to the perimeter. This could for example be useful for ISPs + // or VPN service providers. Direction string `ecs:"direction"` // Host IP address when the source IP address is the proxy. @@ -94,9 +103,9 @@ type Network struct { Packets int64 `ecs:"packets"` // Network.inner fields are added in addition to network.vlan fields to - // describe the innermost VLAN when q-in-q VLAN tagging is present. - // Allowed fields include vlan.id and vlan.name. Inner vlan fields are - // typically used when sending traffic with multiple 802.1q encapsulations - // to a network sensor (e.g. Zeek, Wireshark.) + // describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed + // fields include vlan.id and vlan.name. Inner vlan fields are typically + // used when sending traffic with multiple 802.1q encapsulations to a + // network sensor (e.g. Zeek, Wireshark.) Inner map[string]interface{} `ecs:"inner"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index b716165642..9bd030d0af 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3356,6 +3356,10 @@ example: `1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=` Recommended values are: + * ingress + + * egress + * inbound * outbound @@ -3368,9 +3372,11 @@ Recommended values are: -When mapping events from a host-based monitoring context, populate this field from the host's point of view. +When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + +When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". -When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. +Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. type: keyword @@ -3409,7 +3415,7 @@ example: `6` // =============================================================== | network.inner -| Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) +| Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) type: object diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 150ee1d911..807ffd2115 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2622,11 +2622,17 @@ type: keyword ignore_above: 1024 description: "Direction of the network traffic.\nRecommended values are:\n \ - \ * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen\ - \ mapping events from a host-based monitoring context, populate this field\ - \ from the host's point of view.\nWhen mapping events from a network or perimeter-based\ - \ monitoring context, populate this field from the point of view of your network\ - \ perimeter." + \ * ingress\n * egress\n * inbound\n * outbound\n * internal\n * external\n\ + \ * unknown\n\nWhen mapping events from a host-based monitoring context,\ + \ populate this field from the host's point of view, using the values \"ingress\"\ + \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\ + \ context, populate this field from the point of view of the network perimeter,\ + \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\ + .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\ + \ to describe communication between two hosts within the perimeter. Note also\ + \ that \"external\" is meant to describe traffic between two hosts that are\ + \ external to the perimeter. This could for example be useful for ISPs or\ + \ VPN service providers." example: inbound - name: forwarded_ip level: core @@ -2645,8 +2651,8 @@ level: extended type: object description: Network.inner fields are added in addition to network.vlan fields - to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed - fields include vlan.id and vlan.name. Inner vlan fields are typically used + to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed + fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) default_field: false diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index a209023534..08277b4372 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -4019,11 +4019,17 @@ network.community_id: type: keyword network.direction: dashed_name: network-direction - description: "Direction of the network traffic.\nRecommended values are:\n * inbound\n\ - \ * outbound\n * internal\n * external\n * unknown\n\nWhen mapping events\ - \ from a host-based monitoring context, populate this field from the host's point\ - \ of view.\nWhen mapping events from a network or perimeter-based monitoring context,\ - \ populate this field from the point of view of your network perimeter." + description: "Direction of the network traffic.\nRecommended values are:\n * ingress\n\ + \ * egress\n * inbound\n * outbound\n * internal\n * external\n * unknown\n\ + \nWhen mapping events from a host-based monitoring context, populate this field\ + \ from the host's point of view, using the values \"ingress\" or \"egress\".\n\ + When mapping events from a network or perimeter-based monitoring context, populate\ + \ this field from the point of view of the network perimeter, using the values\ + \ \"inbound\", \"outbound\", \"internal\" or \"external\".\nNote that \"internal\"\ + \ is not crossing perimeter boundaries, and is meant to describe communication\ + \ between two hosts within the perimeter. Note also that \"external\" is meant\ + \ to describe traffic between two hosts that are external to the perimeter. This\ + \ could for example be useful for ISPs or VPN service providers." example: inbound flat_name: network.direction ignore_above: 1024 @@ -4058,8 +4064,8 @@ network.iana_number: network.inner: dashed_name: network-inner description: Network.inner fields are added in addition to network.vlan fields to - describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields - include vlan.id and vlan.name. Inner vlan fields are typically used when sending + describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields + include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) flat_name: network.inner level: extended diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 2189a64503..b4fecef933 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4768,11 +4768,17 @@ network: network.direction: dashed_name: network-direction description: "Direction of the network traffic.\nRecommended values are:\n \ - \ * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen\ - \ mapping events from a host-based monitoring context, populate this field\ - \ from the host's point of view.\nWhen mapping events from a network or perimeter-based\ - \ monitoring context, populate this field from the point of view of your network\ - \ perimeter." + \ * ingress\n * egress\n * inbound\n * outbound\n * internal\n * external\n\ + \ * unknown\n\nWhen mapping events from a host-based monitoring context,\ + \ populate this field from the host's point of view, using the values \"ingress\"\ + \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\ + \ context, populate this field from the point of view of the network perimeter,\ + \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\ + .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\ + \ to describe communication between two hosts within the perimeter. Note also\ + \ that \"external\" is meant to describe traffic between two hosts that are\ + \ external to the perimeter. This could for example be useful for ISPs or\ + \ VPN service providers." example: inbound flat_name: network.direction ignore_above: 1024 @@ -4807,8 +4813,8 @@ network: network.inner: dashed_name: network-inner description: Network.inner fields are added in addition to network.vlan fields - to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed - fields include vlan.id and vlan.name. Inner vlan fields are typically used + to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed + fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) flat_name: network.inner diff --git a/schemas/network.yml b/schemas/network.yml index 4b01088e9a..c6fed904b7 100644 --- a/schemas/network.yml +++ b/schemas/network.yml @@ -85,6 +85,8 @@ Direction of the network traffic. Recommended values are: + * ingress + * egress * inbound * outbound * internal @@ -92,10 +94,17 @@ * unknown When mapping events from a host-based monitoring context, populate this - field from the host's point of view. + field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, - populate this field from the point of view of your network perimeter. + populate this field from the point of view of the network perimeter, + using the values "inbound", "outbound", "internal" or "external". + + Note that "internal" is not crossing perimeter boundaries, and is meant + to describe communication between two hosts within the perimeter. Note also + that "external" is meant to describe traffic between two hosts that are + external to the perimeter. This could for example be useful for ISPs or + VPN service providers. example: inbound - name: forwarded_ip @@ -138,14 +147,14 @@ If `source.packets` and `destination.packets` are known, `network.packets` is their sum. example: 24 - + # q-in-q vlan fields for identifying 802.1q nested vlans - name: inner level: extended type: object short: Inner VLAN tag information description: > - Network.inner fields are added in addition to network.vlan fields to describe - the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include + Network.inner fields are added in addition to network.vlan fields to describe + the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) From 4a49618ff70a199f155031fbb4e46c43779d2952 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Mon, 5 Oct 2020 10:40:32 -0400 Subject: [PATCH 21/90] Mention ECS Mapper in the main documentation (#987) (#1000) Co-authored-by: Dan Roscigno --- docs/converting.asciidoc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/converting.asciidoc b/docs/converting.asciidoc index 1db1fc7818..b4edd76e1d 100644 --- a/docs/converting.asciidoc +++ b/docs/converting.asciidoc @@ -44,3 +44,18 @@ Here's the recommended approach for converting an existing implementation to {ec . Set `ecs.version` to the version of the schema you are conforming to. This will allow you to upgrade your sources, pipelines and content (like dashboards) smoothly in the future. + +[float] +[[ecs-conv-spreasheet]] +==== Using a spreadsheet to plan your migration + +Using a spreadsheet to plan the migration from pre-existing source fields to ECS +is a common practice. It's a good way to address each of your fields methodically among colleagues. + +If the data source is either a structured log, or if you already have a pipeline +producing events with these non-ECS field names, the tool +https://github.com/elastic/ecs-mapper[ECS Mapper] may help you get started in performing all of these field renames. + +After exporting your mapping spreadsheet to CSV, ECS Mapper will convert your field mapping +to equivalent pipelines for Beats, Elasticsearch, and Logstash. Learn more at +https://github.com/elastic/ecs-mapper[ECS Mapper]. From 20ae5e0e359524d17c893549fbf90c0b5db5d2af Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Mon, 5 Oct 2020 10:22:53 -0500 Subject: [PATCH 22/90] [1.x] Introduce experimental artifacts (#993) (#1001) Co-authored-by: Mathieu Martin --- .gitignore | 4 + Makefile | 7 +- experimental/README.md | 26 + experimental/generated/beats/fields.ecs.yml | 6063 +++++++++ experimental/generated/csv/fields.csv | 720 ++ experimental/generated/ecs/ecs_flat.yml | 8956 +++++++++++++ experimental/generated/ecs/ecs_nested.yml | 10663 ++++++++++++++++ .../generated/elasticsearch/7/template.json | 3332 +++++ experimental/schemas/agent.yml | 5 + experimental/schemas/as.yml | 5 + experimental/schemas/client.yml | 7 + experimental/schemas/destination.yml | 7 + experimental/schemas/dns.yml | 7 + experimental/schemas/error.yml | 9 + experimental/schemas/event.yml | 5 + experimental/schemas/file.yml | 9 + experimental/schemas/geo.yml | 5 + experimental/schemas/host.yml | 4 + experimental/schemas/http.yml | 9 + experimental/schemas/log.yml | 7 + experimental/schemas/organization.yml | 5 + experimental/schemas/os.yml | 7 + experimental/schemas/pe.yml | 5 + experimental/schemas/process.yml | 13 + experimental/schemas/registry.yml | 9 + experimental/schemas/server.yml | 7 + experimental/schemas/source.yml | 7 + experimental/schemas/tls.yml | 11 + experimental/schemas/url.yml | 13 + experimental/schemas/user.yml | 17 + experimental/schemas/user_agent.yml | 5 + experimental/schemas/x509.yml | 7 + 32 files changed, 29955 insertions(+), 1 deletion(-) create mode 100644 experimental/README.md create mode 100644 experimental/generated/beats/fields.ecs.yml create mode 100644 experimental/generated/csv/fields.csv create mode 100644 experimental/generated/ecs/ecs_flat.yml create mode 100644 experimental/generated/ecs/ecs_nested.yml create mode 100644 experimental/generated/elasticsearch/7/template.json create mode 100644 experimental/schemas/agent.yml create mode 100644 experimental/schemas/as.yml create mode 100644 experimental/schemas/client.yml create mode 100644 experimental/schemas/destination.yml create mode 100644 experimental/schemas/dns.yml create mode 100644 experimental/schemas/error.yml create mode 100644 experimental/schemas/event.yml create mode 100644 experimental/schemas/file.yml create mode 100644 experimental/schemas/geo.yml create mode 100644 experimental/schemas/host.yml create mode 100644 experimental/schemas/http.yml create mode 100644 experimental/schemas/log.yml create mode 100644 experimental/schemas/organization.yml create mode 100644 experimental/schemas/os.yml create mode 100644 experimental/schemas/pe.yml create mode 100644 experimental/schemas/process.yml create mode 100644 experimental/schemas/registry.yml create mode 100644 experimental/schemas/server.yml create mode 100644 experimental/schemas/source.yml create mode 100644 experimental/schemas/tls.yml create mode 100644 experimental/schemas/url.yml create mode 100644 experimental/schemas/user.yml create mode 100644 experimental/schemas/user_agent.yml create mode 100644 experimental/schemas/x509.yml diff --git a/.gitignore b/.gitignore index 20c4de146e..a3cabe1d6a 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,7 @@ build .idea *.iml .vscode/* + +# experimental exclusions +experimental/generated/elasticsearch/6 +experimental/generated/docs diff --git a/Makefile b/Makefile index 37617d391e..4261504635 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,7 @@ VERSION := $(shell cat version) # Check verifies that all of the committed files that are generated are # up-to-date. .PHONY: check -check: generate test fmt misspell makelint check-license-headers +check: generate experimental test fmt misspell makelint check-license-headers # Check if diff is empty. git diff | cat git update-index --refresh @@ -46,6 +46,11 @@ docs: fi ./build/docs/build_docs --asciidoctor --doc ./docs/index.asciidoc --chunk=1 $(OPEN_DOCS) --out ./build/html_docs +# Alias to generate experimental artifacts +.PHONY: experimental +experimental: ve + $(PYTHON) scripts/generator.py --include experimental/schemas --out experimental + # Format code and files in the repo. .PHONY: fmt fmt: ve diff --git a/experimental/README.md b/experimental/README.md new file mode 100644 index 0000000000..c9141e8e6a --- /dev/null +++ b/experimental/README.md @@ -0,0 +1,26 @@ +# ECS Experimental Definitions + +ECS experimental definitions are changes and features which have reached [stage two](https://elastic.github.io/ecs/stages.html) in the ECS [RFC process](../rfcs) + +Stage two changes only appear in the experimental artifacts in this directory, but aren't yet reflected in the official ECS documentation. +Note that stage three and four proposals do appear in the official ECS documentation. + +These experimental changes to ECS are comprehensive but not necessarily final. They are also still subject to breaking changes. + +## Schema Files + +The [experimental/schemas](./schemas) directory contains the YAML files for the experimental field definitions. These are not always complete schemas. They can also be supplemental changes to be merged with the official schema spec, using the `--include` generator flag. + +If you use the ECS generator script as described in [USAGE.md](../USAGE.md) to maintain your custom index templates, here's how you can try these experimental changes in your project: + +```sh +$ python scripts/generator.py --include experimental/schemas \ + --include ../myproject/fields/custom/ \ + --out ../myproject/fields/generated +``` + +The above would include all experimental changes to ECS along with your custom fields, and output the artifacts in `myproject/fields/generated`. + +## Generated Artifacts + +Various files generated based on the experimental ECS spec. The artifacts are generated using `make experimental` and published [here](./generated). diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml new file mode 100644 index 0000000000..35064b122e --- /dev/null +++ b/experimental/generated/beats/fields.ecs.yml @@ -0,0 +1,6063 @@ +# WARNING! Do not edit this file directly, it was generated by the ECS project, +# based on ECS version 1.7.0-dev. +# Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. + +- key: ecs + title: ECS + description: ECS Fields. + fields: + - name: '@timestamp' + level: core + required: true + type: date + description: 'Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events.' + example: '2016-05-23T08:05:34.853Z' + - name: labels + level: core + type: object + object_type: keyword + description: 'Custom key/value pairs. + + Can be used to add meta information to events. Should not contain nested objects. + All values are stored as keyword. + + Example: `docker` and `k8s` labels.' + example: '{"application": "foo-bar", "env": "production"}' + - name: message + level: core + type: text + description: 'For log events the message field contains the log message, optimized + for viewing in a log viewer. + + For structured logs without an original message field, other fields can be concatenated + to form a human-readable summary of the event. + + If multiple messages exist, they can be combined into one message.' + example: Hello World + - name: tags + level: core + type: keyword + ignore_above: 1024 + description: List of keywords used to tag each event. + example: '["production", "env2"]' + - name: agent + title: Agent + group: 2 + description: 'The agent fields contain the data about the software entity, if + any, that collects, detects, or observes events on a host, or takes measurements + on a host. + + Examples include Beats. Agents may also run on observers. ECS agent.* fields + shall be populated with details of the agent running on the host or observer + where the event happened or the measurement was taken.' + footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. + For APM, it is the agent running in the app/service. The agent information does + not change if data is sent through queuing systems like Kafka, Redis, or processing + systems such as Logstash or APM Server.' + type: group + fields: + - name: build.original + level: core + type: wildcard + description: 'Extended build information for the agent. + + This field is intended to contain any build information that a data source + may provide, no specific formatting is required.' + example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c + built 2020-02-05 23:10:10 +0000 UTC] + default_field: false + - name: ephemeral_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Ephemeral identifier of this agent (if one exists). + + This id normally changes across restarts, but `agent.id` does not.' + example: 8a4f500f + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique identifier of this agent (if one exists). + + Example: For Beats this would be beat.id.' + example: 8a4f500d + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Custom name of the agent. + + This is a name that can be given to an agent. This can be helpful if for example + two Filebeat instances are running on the same host but a human readable separation + is needed on which Filebeat instance data is coming from. + + If no name is given, the name is often left empty.' + example: foo + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of the agent. + + The agent type always stays the same and should be given by the agent used. + In case of Filebeat the agent would always be Filebeat also if two Filebeat + instances are run on the same machine.' + example: filebeat + - name: version + level: core + type: keyword + ignore_above: 1024 + description: Version of the agent. + example: 6.0.0-rc2 + - name: as + title: Autonomous System + group: 2 + description: An autonomous system (AS) is a collection of connected Internet Protocol + (IP) routing prefixes under the control of one or more network operators on + behalf of a single administrative entity or domain that presents a common, clearly + defined routing policy to the internet. + type: group + fields: + - name: number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: organization.name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC + - name: client + title: Client + group: 2 + description: 'A client is defined as the initiator of a network connection for + events regarding sessions, connections, or bidirectional flow records. + + For TCP events, the client is the initiator of the TCP connection that sends + the SYN packet(s). For other protocols, the client is generally the initiator + or requestor in the network transaction. Some systems use the term "originator" + to refer the client in TCP connections. The client fields describe details about + the system acting as the client in the network event. Client fields are usually + populated in conjunction with server fields. Client fields are generally not + populated for packet-level events. + + Client / server representations can add semantic context to an exchange, which + is helpful to visualize the data in certain situations. If your context falls + in that category, you should still ensure that source and destination are filled + appropriately.' + type: group + fields: + - name: address + level: extended + type: keyword + ignore_above: 1024 + description: 'Some event client addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + - name: as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: as.organization.name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC + - name: bytes + level: core + type: long + format: bytes + description: Bytes sent from the client to the server. + example: 184 + - name: domain + level: core + type: wildcard + description: Client domain. + - name: geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + - name: geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + - name: geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + - name: geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + - name: geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: geo.name + level: extended + type: wildcard + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + - name: geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + - name: geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + - name: ip + level: core + type: ip + description: IP address of the client (IPv4 or IPv6). + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: MAC address of the client. + - name: nat.ip + level: extended + type: ip + description: 'Translated IP of source based NAT sessions (e.g. internal client + to internet). + + Typically connections traversing load balancers, firewalls, or routers.' + - name: nat.port + level: extended + type: long + format: string + description: 'Translated port of source based NAT sessions (e.g. internal client + to internet). + + Typically connections traversing load balancers, firewalls, or routers.' + - name: packets + level: core + type: long + description: Packets sent from the client to the server. + example: 12 + - name: port + level: core + type: long + format: string + description: Port of the client. + - name: registered_domain + level: extended + type: wildcard + description: 'The highest registered client domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false + - name: top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + - name: user.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: user.email + level: extended + type: wildcard + description: User email address. + - name: user.full_name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: User's full name, if available. + example: Albert Einstein + - name: user.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: user.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: user.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: user.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + - name: user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + - name: user.name + level: core + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert + - name: user.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false + - name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming + from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data + from its host, the cloud info contains the data about this machine. If Metricbeat + runs on a remote machine outside the cloud and fetches data from a service running + in the cloud, the field contains cloud data from the machine the service is + running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different + entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: account.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account name or alias used to identify different entities + in a multi-tenant environment. + + Examples: AWS account name, Google Cloud ORG display name.' + example: elastic-dev + default_field: false + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: project.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud project identifier. + + Examples: Google Cloud Project id, Azure Project id.' + example: my-project + default_field: false + - name: project.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud project name. + + Examples: Google Cloud Project name, Azure Project name.' + example: my project + default_field: false + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, + or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: code_signature + title: Code Signature + group: 2 + description: These fields contain information about binary code signatures. + type: group + fields: + - name: exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific + container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: image.tag + level: extended + type: keyword + ignore_above: 1024 + description: Container image tags. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. + - name: runtime + level: extended + type: keyword + ignore_above: 1024 + description: Runtime managing this container. + example: docker + - name: destination + title: Destination + group: 2 + description: 'Destination fields capture details about the receiver of a network + exchange/packet. These fields are populated from a network event, packet, or + other event containing details of a network transaction. + + Destination fields are usually populated in conjunction with source fields. + The source and destination fields are considered the baseline and should always + be filled if an event contains source and destination details from a network + transaction. If the event also contains identification of the client and server + roles, then the client and server fields should also be populated.' + type: group + fields: + - name: address + level: extended + type: keyword + ignore_above: 1024 + description: 'Some event destination addresses are defined ambiguously. The + event will sometimes list an IP, a domain or a unix socket. You should always + store the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + - name: as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: as.organization.name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC + - name: bytes + level: core + type: long + format: bytes + description: Bytes sent from the destination to the source. + example: 184 + - name: domain + level: core + type: wildcard + description: Destination domain. + - name: geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + - name: geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + - name: geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + - name: geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + - name: geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: geo.name + level: extended + type: wildcard + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + - name: geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + - name: geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + - name: ip + level: core + type: ip + description: IP address of the destination (IPv4 or IPv6). + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: MAC address of the destination. + - name: nat.ip + level: extended + type: ip + description: 'Translated ip of destination based NAT sessions (e.g. internet + to private DMZ) + + Typically used with load balancers, firewalls, or routers.' + - name: nat.port + level: extended + type: long + format: string + description: 'Port the source session is translated to by NAT Device. + + Typically used with load balancers, firewalls, or routers.' + - name: packets + level: core + type: long + description: Packets sent from the destination to the source. + example: 12 + - name: port + level: core + type: long + format: string + description: Port of the destination. + - name: registered_domain + level: extended + type: wildcard + description: 'The highest registered destination domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false + - name: top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + - name: user.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: user.email + level: extended + type: wildcard + description: User email address. + - name: user.full_name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: User's full name, if available. + example: Albert Einstein + - name: user.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: user.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: user.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: user.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + - name: user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + - name: user.name + level: core + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert + - name: user.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false + - name: dll + title: DLL + group: 2 + description: 'These fields contain information about code libraries dynamically + loaded into processes. + + + Many operating systems refer to "shared code libraries" with different names, + but this field set refers to all of the following: + + * Dynamic-link library (`.dll`) commonly used on Windows + + * Shared Object (`.so`) commonly used on Unix-like operating systems + + * Dynamic library (`.dylib`) commonly used on macOS' + type: group + fields: + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the library. + + This generally maps to the name of the file on disk.' + example: kernel32.dll + default_field: false + - name: path + level: extended + type: keyword + ignore_above: 1024 + description: Full file path of the library. + example: C:\Windows\System32\kernel32.dll + default_field: false + - name: pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: pe.original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: dns + title: DNS + group: 2 + description: 'Fields describing DNS queries and answers. + + DNS events should either represent a single DNS query prior to getting answers + (`dns.type:query`) or they should represent a full exchange and contain the + query details as well as all of the answers that were provided for this query + (`dns.type:answer`).' + type: group + fields: + - name: answers.class + level: extended + type: keyword + ignore_above: 1024 + description: The class of DNS data contained in this resource record. + example: IN + - name: answers.data + level: extended + type: wildcard + description: 'The data describing the resource. + + The meaning of this data depends on the type and class of the resource record.' + example: 10.10.10.10 + - name: answers.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The domain name to which this resource record pertains. + + If a chain of CNAME is being resolved, each answer''s `name` should be the + one that corresponds with the answer''s `data`. It should not simply be the + original `question.name` repeated.' + example: www.example.com + - name: answers.ttl + level: extended + type: long + description: The time interval in seconds that this resource record may be cached + before it should be discarded. Zero values mean that the data should not be + cached. + example: 180 + - name: answers.type + level: extended + type: keyword + ignore_above: 1024 + description: The type of data contained in this resource record. + example: CNAME + - name: header_flags + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of 2 letter DNS header flags. + + Expected values are: AA, TC, RD, RA, AD, CD, DO.' + example: '["RD", "RA"]' + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: The DNS packet identifier assigned by the program that generated + the query. The identifier is copied to the response. + example: 62111 + - name: op_code + level: extended + type: keyword + ignore_above: 1024 + description: The DNS operation code that specifies the kind of query in the + message. This value is set by the originator of a query and copied into the + response. + example: QUERY + - name: question.class + level: extended + type: keyword + ignore_above: 1024 + description: The class of records being queried. + example: IN + - name: question.name + level: extended + type: wildcard + description: 'The name being queried. + + If the name field contains non-printable characters (below 32 or above 126), + those characters should be represented as escaped base 10 integers (\DDD). + Back slashes and quotes should be escaped. Tabs, carriage returns, and line + feeds should be converted to \t, \r, and \n respectively.' + example: www.example.com + - name: question.registered_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The highest registered domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + - name: question.subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain is all of the labels under the registered_domain. + + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: www + - name: question.top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + - name: question.type + level: extended + type: keyword + ignore_above: 1024 + description: The type of record being queried. + example: AAAA + - name: resolved_ip + level: extended + type: ip + description: 'Array containing all IPs seen in `answers.data`. + + The `answers` array can be difficult to use, because of the variety of data + formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` + makes it possible to index them as IP addresses, and makes them easier to + visualize and query for.' + example: '["10.10.10.10", "10.10.10.11"]' + - name: response_code + level: extended + type: keyword + ignore_above: 1024 + description: The DNS response code. + example: NOERROR + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: 'The type of DNS event captured, query or answer. + + If your source of DNS events only gives you DNS queries, you should only create + dns events of type `dns.type:query`. + + If your source of DNS events gives you answers as well, you should create + one event per query (optionally as soon as the query is seen). And a second + event containing all query details as well as an array of answers.' + example: answer + - name: ecs + title: ECS + group: 2 + description: Meta-information specific to ECS. + type: group + fields: + - name: version + level: core + required: true + type: keyword + ignore_above: 1024 + description: 'ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events.' + example: 1.0.0 + - name: error + title: Error + group: 2 + description: 'These fields can represent errors of any kind. + + Use them for errors that happen while fetching events or in cases where the + event itself contains an error.' + type: group + fields: + - name: code + level: core + type: keyword + ignore_above: 1024 + description: Error code describing the error. + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier for the error. + - name: message + level: core + type: text + description: Error message. + - name: stack_trace + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: The stack trace of this error in plain text. + index: true + - name: type + level: extended + type: wildcard + description: The type of the error, for example the class name of the exception. + example: java.lang.NullPointerException + - name: event + title: Event + group: 2 + description: 'The event fields are used for context information about the log + or metric event itself. + + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. Examples of log + events include a process starting on a host, a network packet being sent from + a source to a destination, or a network connection between a client and a server + being initiated or closed. A metric is defined as an event containing one or + more numerical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host and device + temperature. See the `event.kind` definition in this section for additional + details about metric and state events.' + type: group + fields: + - name: action + level: core + type: keyword + ignore_above: 1024 + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + - name: category + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + - name: code + level: extended + type: keyword + ignore_above: 1024 + description: 'Identification code for this event, if one exists. + + Some event sources use event codes to identify messages unambiguously, regardless + of message language or wording adjustments over time. An example of this is + the Windows Event ID.' + example: 4648 + - name: created + level: core + type: date + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + - name: dataset + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + - name: duration + level: core + type: long + format: duration + input_format: nanoseconds + output_format: asMilliseconds + output_precision: 1 + description: 'Duration of the event in nanoseconds. + + If event.start and event.end are known this value should be the difference + between the end and start time.' + - name: end + level: extended + type: date + description: event.end contains the date when the event ended or when the activity + was last observed. + - name: hash + level: extended + type: keyword + ignore_above: 1024 + description: Hash (perhaps logstash fingerprint) of raw field to be able to + demonstrate log integrity. + example: 123456789012345678901234567890ABCD + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique ID to describe the event. + example: 8a4f500d + - name: ingested + level: core + type: date + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s + also different from `event.created`, which is meant to capture the first time + an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically + look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + default_field: false + - name: kind + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + - name: module + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + - name: original + level: core + type: wildcard + description: 'Raw text message of entire event. Used to demonstrate log integrity. + + This field is not indexed and doc_values are disabled. It cannot be searched, + but it can be retrieved from `_source`.' + example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| + worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + index: false + - name: outcome + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + lowest level in the ECS category hierarchy. + + `event.outcome` simply denotes whether the event represents a success or a + failure from the perspective of the entity that produced the event. + + Note that when a single transaction is described in multiple events, each + event may populate different values of `event.outcome`, according to their + perspective. + + Also note that in the case of a compound event (a single event that contains + multiple logical events), this field should be populated with the value that + best captures the overall success or failure from the perspective of the event + producer. + + Further note that not all events will have an associated outcome. For example, + this field is generally not populated for metric events, events with `event.type:info`, + or any events for which an outcome does not make logical sense.' + example: success + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: 'Source of the event. + + Event transports such as Syslog or the Windows Event Log typically mention + the source of an event. It can be the name of the software that generated + the event (e.g. Sysmon, httpd), or of a subsystem of the operating system + (kernel, Microsoft-Windows-Security-Auditing).' + example: kernel + - name: reason + level: extended + type: keyword + ignore_above: 1024 + description: 'Reason why this event happened, according to the source. + + This describes the why of a particular action or outcome captured in the event. + Where `event.action` captures the action from the event, `event.reason` describes + why that action was taken. For example, a web proxy with an `event.action` + which denied the request may also populate `event.reason` with the reason + why (e.g. `blocked site`).' + example: Terminated an unexpected process + default_field: false + - name: reference + level: extended + type: keyword + ignore_above: 1024 + description: 'Reference URL linking to additional information about this event. + + This URL links to a static definition of the this event. Alert events, indicated + by `event.kind:alert`, are a common use case for this field.' + example: https://system.example.com/event/#0001234 + default_field: false + - name: risk_score + level: core + type: float + description: Risk score or priority of the event (e.g. security solutions). + Use your system's original value here. + - name: risk_score_norm + level: extended + type: float + description: 'Normalized risk score or priority of the event, on a scale of + 0 to 100. + + This is mainly useful if you use more than one system that assigns risk scores, + and you want to see a normalized value across all systems.' + - name: sequence + level: extended + type: long + format: string + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision.' + - name: severity + level: core + type: long + format: string + description: 'The numeric severity of the event according to your event source. + + What the different severity values mean can be different between sources and + use cases. It''s up to the implementer to make sure severities are consistent + across events from the same source. + + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` + is meant to represent the severity according to the event source (e.g. firewall, + IDS). If the event source does not publish its own severity, you may optionally + copy the `log.syslog.severity.code` to `event.severity`.' + example: 7 + - name: start + level: extended + type: date + description: event.start contains the date when the event started or when the + activity was first observed. + - name: timezone + level: extended + type: keyword + ignore_above: 1024 + description: 'This field should be populated when the event''s timestamp does + not include timezone information already (e.g. default Syslog timestamps). + It''s optional otherwise. + + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), + abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' + - name: url + level: extended + type: keyword + ignore_above: 1024 + description: 'URL linking to an external system to continue investigation of + this event. + + This URL links to another system where in-depth investigation of the specific + occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, + are a common use case for this field.' + example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + default_field: false + - name: file + title: File + group: 2 + description: 'A file is defined as a set of information that has been created + on, or has existed on a filesystem. + + File objects can be associated with host events, network events, and/or file + events (e.g., those produced by File Integrity Monitoring [FIM] products or + services). File fields provide details about the affected file associated with + the event or metric.' + type: group + fields: + - name: accessed + level: extended + type: date + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + - name: attributes + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: created + level: extended + type: date + description: 'File creation time. + + Note that not all filesystems store the creation time.' + - name: ctime + level: extended + type: date + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + - name: device + level: extended + type: keyword + ignore_above: 1024 + description: Device that is the source of the file. + example: sda + - name: directory + level: extended + type: wildcard + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + - name: drive_letter + level: extended + type: keyword + ignore_above: 1 + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + default_field: false + - name: extension + level: extended + type: keyword + ignore_above: 1024 + description: File extension. + example: png + - name: gid + level: extended + type: keyword + ignore_above: 1024 + description: Primary group ID (GID) of the file. + example: '1001' + - name: group + level: extended + type: keyword + ignore_above: 1024 + description: Primary group name of the file. + example: alice + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + - name: inode + level: extended + type: keyword + ignore_above: 1024 + description: Inode representing the file in the filesystem. + example: '256383' + - name: mime_type + level: extended + type: keyword + ignore_above: 1024 + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + default_field: false + - name: mode + level: extended + type: keyword + ignore_above: 1024 + description: Mode of the file in octal representation. + example: '0640' + - name: mtime + level: extended + type: date + description: Last time the file content was modified. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the file including the extension, without the directory. + example: example.png + - name: owner + level: extended + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice + - name: path + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + - name: pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: pe.original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: size + level: extended + type: long + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + - name: target_path + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Target path for symlinks. + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: File type (file, dir, or symlink). + example: file + - name: uid + level: extended + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + - name: x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: x509.issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + default_field: false + - name: x509.issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: x509.issuer.distinguished_name + level: extended + type: wildcard + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + default_field: false + - name: x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: x509.subject.distinguished_name + level: extended + type: wildcard + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false + - name: geo + title: Geo + group: 2 + description: 'Geo fields can carry data about a specific location related to an + event. + + This geolocation information can be derived from techniques such as Geo IP, + or be user-supplied.' + type: group + fields: + - name: city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + - name: continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + - name: country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + - name: country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + - name: location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: name + level: extended + type: wildcard + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + - name: region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + - name: region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + - name: group + title: Group + group: 2 + description: The group fields are meant to represent groups that are relevant + to the event. + type: group + fields: + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: hash + title: Hash + group: 2 + description: 'The hash fields represent different hash algorithms and their values. + + Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for + other hashes by lowercasing the hash algorithm name and using underscore separators + as appropriate (snake case, e.g. sha3_512).' + type: group + fields: + - name: md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + - name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain + or NetBIOS domain name. For Linux this could be the domain of the host''s + LDAP provider.' + example: CONTOSO + default_field: false + - name: geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + - name: geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + - name: geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + - name: geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + - name: geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: geo.name + level: extended + type: wildcard + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + - name: geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + - name: geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + - name: hostname + level: core + type: wildcard + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified + domain name, or a name specified by the user. The sender decides which value + to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.full + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, + this could be the container, for example, or other information meaningful + in your environment.' + - name: uptime + level: extended + type: long + description: Seconds the host has been up. + example: 1325 + - name: user.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: user.email + level: extended + type: wildcard + description: User email address. + - name: user.full_name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: User's full name, if available. + example: Albert Einstein + - name: user.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: user.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: user.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: user.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + - name: user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + - name: user.name + level: core + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert + - name: user.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false + - name: http + title: HTTP + group: 2 + description: Fields related to HTTP activity. Use the `url` field set to store + the url of the request. + type: group + fields: + - name: request.body.bytes + level: extended + type: long + format: bytes + description: Size in bytes of the request body. + example: 887 + - name: request.body.content + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: The full HTTP request body. + example: Hello world + - name: request.bytes + level: extended + type: long + format: bytes + description: Total size in bytes of the request (body and headers). + example: 1437 + - name: request.method + level: extended + type: keyword + ignore_above: 1024 + description: 'HTTP request method. + + Prior to ECS 1.6.0 the following guidance was provided: + + "The field value must be normalized to lowercase for querying." + + As of ECS 1.6.0, the guidance is deprecated because the original case of the + method may be useful in anomaly detection. Original case will be mandated + in ECS 2.0.0' + example: GET, POST, PUT, PoST + - name: request.mime_type + level: extended + type: keyword + ignore_above: 1024 + description: 'Mime type of the body of the request. + + This value must only be populated based on the content of the request body, + not on the `Content-Type` header. Comparing the mime type of a request with + the request''s Content-Type header can be helpful in detecting threats or + misconfigured clients.' + example: image/gif + default_field: false + - name: request.referrer + level: extended + type: wildcard + description: Referrer for this HTTP request. + example: https://blog.example.com/ + - name: response.body.bytes + level: extended + type: long + format: bytes + description: Size in bytes of the response body. + example: 887 + - name: response.body.content + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: The full HTTP response body. + example: Hello world + - name: response.bytes + level: extended + type: long + format: bytes + description: Total size in bytes of the response (body and headers). + example: 1437 + - name: response.mime_type + level: extended + type: keyword + ignore_above: 1024 + description: 'Mime type of the body of the response. + + This value must only be populated based on the content of the response body, + not on the `Content-Type` header. Comparing the mime type of a response with + the response''s Content-Type header can be helpful in detecting misconfigured + servers.' + example: image/gif + default_field: false + - name: response.status_code + level: extended + type: long + format: string + description: HTTP response status code. + example: 404 + - name: version + level: extended + type: keyword + ignore_above: 1024 + description: HTTP version. + example: 1.1 + - name: interface + title: Interface + group: 2 + description: The interface fields are used to record ingress and egress interface + information when reported by an observer (e.g. firewall, router, load balancer) + in the context of the observer handling a network connection. In the case of + a single observer interface (e.g. network sensor on a span port) only the observer.ingress + information should be populated. + type: group + fields: + - name: alias + level: extended + type: keyword + ignore_above: 1024 + description: Interface alias as reported by the system, typically used in firewall + implementations for e.g. inside, outside, or dmz logical interface naming. + example: outside + default_field: false + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Interface ID as reported by an observer (typically SNMP interface + ID). + example: 10 + default_field: false + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Interface name as reported by the system. + example: eth0 + default_field: false + - name: log + title: Log + group: 2 + description: 'Details about the event''s logging mechanism or logging transport. + + The log.* fields are typically populated with details about the logging mechanism + used to create and/or transport the event. For example, syslog details belong + under `log.syslog.*`. + + The details specific to your event source are typically not logged under `log.*`, + but rather in `event.*` or in other ECS fields.' + type: group + fields: + - name: file.path + level: extended + type: wildcard + description: 'Full path to the log file this event came from, including the + file name. It should include the drive letter, when appropriate. + + If the event wasn''t read from a log file, do not populate this field.' + example: /var/log/fun-times.log + default_field: false + - name: level + level: core + type: keyword + ignore_above: 1024 + description: 'Original log level of the log event. + + If the source of the event provides a log level or textual severity, this + is the one that goes in `log.level`. If your source doesn''t specify one, + you may put your event transport''s severity here (e.g. Syslog severity). + + Some examples are `warn`, `err`, `i`, `informational`.' + example: error + - name: logger + level: core + type: wildcard + description: The name of the logger inside an application. This is usually the + name of the class which initialized the logger, or can be a custom name. + example: org.elasticsearch.bootstrap.Bootstrap + - name: origin.file.line + level: extended + type: integer + description: The line number of the file containing the source code which originated + the log event. + example: 42 + - name: origin.file.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The name of the file containing the source code which originated + the log event. + + Note that this field is not meant to capture the log file. The correct field + to capture the log file is `log.file.path`.' + example: Bootstrap.java + - name: origin.function + level: extended + type: keyword + ignore_above: 1024 + description: The name of the function or method which originated the log event. + example: init + - name: original + level: core + type: keyword + ignore_above: 1024 + description: 'This is the original log message and contains the full log message + before splitting it up in multiple parts. + + In contrast to the `message` field which can contain an extracted part of + the log message, this field contains the original, full log message. It can + have already some modifications applied like encoding or new lines removed + to clean up the log message. + + This field is not indexed and doc_values are disabled so it can''t be queried + but the value can be retrieved from `_source`.' + example: Sep 19 08:26:10 localhost My log + index: false + - name: syslog + level: extended + type: object + description: The Syslog metadata of the event, if the event was transmitted + via Syslog. Please see RFCs 5424 or 3164. + - name: syslog.facility.code + level: extended + type: long + format: string + description: 'The Syslog numeric facility of the log event, if available. + + According to RFCs 5424 and 3164, this value should be an integer between 0 + and 23.' + example: 23 + - name: syslog.facility.name + level: extended + type: keyword + ignore_above: 1024 + description: The Syslog text-based facility of the log event, if available. + example: local7 + - name: syslog.priority + level: extended + type: long + format: string + description: 'Syslog numeric priority of the event, if available. + + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. + This number is therefore expected to contain a value between 0 and 191.' + example: 135 + - name: syslog.severity.code + level: extended + type: long + description: 'The Syslog numeric severity of the log event, if available. + + If the event source publishing via Syslog provides a different numeric severity + value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`. + If the event source does not specify a distinct severity, you can optionally + copy the Syslog severity to `event.severity`.' + example: 3 + - name: syslog.severity.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The Syslog numeric severity of the log event, if available. + + If the event source publishing via Syslog provides a different severity value + (e.g. firewall, IDS), your source''s text severity should go to `log.level`. + If the event source does not specify a distinct severity, you can optionally + copy the Syslog severity to `log.level`.' + example: Error + - name: network + title: Network + group: 2 + description: 'The network is defined as the communication path over which a host + or network event happens. + + The network.* fields should be populated with details about the network activity + associated with an event.' + type: group + fields: + - name: application + level: extended + type: keyword + ignore_above: 1024 + description: 'A name given to an application level protocol. This can be arbitrarily + assigned for things like microservices, but also apply to things like skype, + icq, facebook, twitter. This would be used in situations where the vendor + or service can be decoded such as from the source/dest IP owners, ports, or + wire format. + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: aim + - name: bytes + level: core + type: long + format: bytes + description: 'Total bytes transferred in both directions. + + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their + sum.' + example: 368 + - name: community_id + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of source and destination IPs and ports, as well as the + protocol used in a communication. This is a tool-agnostic standard to identify + flows. + + Learn more at https://github.com/corelight/community-id-spec.' + example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + - name: direction + level: core + type: keyword + ignore_above: 1024 + description: "Direction of the network traffic.\nRecommended values are:\n \ + \ * ingress\n * egress\n * inbound\n * outbound\n * internal\n * external\n\ + \ * unknown\n\nWhen mapping events from a host-based monitoring context,\ + \ populate this field from the host's point of view, using the values \"ingress\"\ + \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\ + \ context, populate this field from the point of view of the network perimeter,\ + \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\ + .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\ + \ to describe communication between two hosts within the perimeter. Note also\ + \ that \"external\" is meant to describe traffic between two hosts that are\ + \ external to the perimeter. This could for example be useful for ISPs or\ + \ VPN service providers." + example: inbound + - name: forwarded_ip + level: core + type: ip + description: Host IP address when the source IP address is the proxy. + example: 192.1.1.2 + - name: iana_number + level: extended + type: keyword + ignore_above: 1024 + description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). + Standardized list of protocols. This aligns well with NetFlow and sFlow related + logs which use the IANA Protocol Number. + example: 6 + - name: inner + level: extended + type: object + description: Network.inner fields are added in addition to network.vlan fields + to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed + fields include vlan.id and vlan.name. Inner vlan fields are typically used + when sending traffic with multiple 802.1q encapsulations to a network sensor + (e.g. Zeek, Wireshark.) + default_field: false + - name: inner.vlan.id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false + - name: inner.vlan.name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name given by operators to sections of their network. + example: Guest Wifi + - name: packets + level: core + type: long + description: 'Total packets transferred in both directions. + + If `source.packets` and `destination.packets` are known, `network.packets` + is their sum.' + example: 24 + - name: protocol + level: core + type: keyword + ignore_above: 1024 + description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol. + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: http + - name: transport + level: core + type: keyword + ignore_above: 1024 + description: 'Same as network.iana_number, but instead using the Keyword name + of the transport layer (udp, tcp, ipv6-icmp, etc.) + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: tcp + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, + ipsec, pim, etc + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: ipv4 + - name: vlan.id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false + - name: vlan.name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false + - name: observer + title: Observer + group: 2 + description: 'An observer is defined as a special network, security, or application + device used to detect, observe, or create network, security, or application-related + events and metrics. + + This could be a custom hardware appliance or a server that has been configured + to run special network, security, or application software. Examples include + firewalls, web proxies, intrusion detection/prevention systems, network monitoring + sensors, web application firewalls, data loss prevention systems, and APM servers. + The observer.* fields shall be populated with details of the system, if any, + that detects, observes and/or creates a network, security, or application event + or metric. Message queues and ETL components used in processing events or metrics + are not considered observers in ECS.' + type: group + fields: + - name: egress + level: extended + type: object + description: Observer.egress holds information like interface number and name, + vlan, and zone information to classify egress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress + to categorize traffic. + default_field: false + - name: egress.interface.alias + level: extended + type: keyword + ignore_above: 1024 + description: Interface alias as reported by the system, typically used in firewall + implementations for e.g. inside, outside, or dmz logical interface naming. + example: outside + default_field: false + - name: egress.interface.id + level: extended + type: keyword + ignore_above: 1024 + description: Interface ID as reported by an observer (typically SNMP interface + ID). + example: 10 + default_field: false + - name: egress.interface.name + level: extended + type: keyword + ignore_above: 1024 + description: Interface name as reported by the system. + example: eth0 + default_field: false + - name: egress.vlan.id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false + - name: egress.vlan.name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false + - name: egress.zone + level: extended + type: keyword + ignore_above: 1024 + description: Network zone of outbound traffic as reported by the observer to + categorize the destination area of egress traffic, e.g. Internal, External, + DMZ, HR, Legal, etc. + example: Public_Internet + default_field: false + - name: geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + - name: geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + - name: geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + - name: geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + - name: geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: geo.name + level: extended + type: wildcard + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + - name: geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + - name: geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: Hostname of the observer. + - name: ingress + level: extended + type: object + description: Observer.ingress holds information like interface number and name, + vlan, and zone information to classify ingress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress + to categorize traffic. + default_field: false + - name: ingress.interface.alias + level: extended + type: keyword + ignore_above: 1024 + description: Interface alias as reported by the system, typically used in firewall + implementations for e.g. inside, outside, or dmz logical interface naming. + example: outside + default_field: false + - name: ingress.interface.id + level: extended + type: keyword + ignore_above: 1024 + description: Interface ID as reported by an observer (typically SNMP interface + ID). + example: 10 + default_field: false + - name: ingress.interface.name + level: extended + type: keyword + ignore_above: 1024 + description: Interface name as reported by the system. + example: eth0 + default_field: false + - name: ingress.vlan.id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false + - name: ingress.vlan.name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false + - name: ingress.zone + level: extended + type: keyword + ignore_above: 1024 + description: Network zone of incoming traffic as reported by the observer to + categorize the source area of ingress traffic. e.g. internal, External, DMZ, + HR, Legal, etc. + example: DMZ + default_field: false + - name: ip + level: core + type: ip + description: IP addresses of the observer. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: MAC addresses of the observer + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: 'Custom name of the observer. + + This is a name that can be given to an observer. This can be helpful for example + if multiple firewalls of the same model are used in an organization. + + If no custom name is needed, the field can be left empty.' + example: 1_proxySG + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.full + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: product + level: extended + type: keyword + ignore_above: 1024 + description: The product name of the observer. + example: s200 + - name: serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Observer serial number. + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'The type of the observer the data is coming from. + + There is no predefined list of observer types. Some examples are `forwarder`, + `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.' + example: firewall + - name: vendor + level: core + type: keyword + ignore_above: 1024 + description: Vendor name of the observer. + example: Symantec + - name: version + level: core + type: keyword + ignore_above: 1024 + description: Observer version. + - name: organization + title: Organization + group: 2 + description: 'The organization fields enrich data with information about the company + or entity the data is associated with. + + These fields help you arrange or filter data stored in an index by one or multiple + organizations.' + type: group + fields: + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the organization. + - name: name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + - name: os + title: Operating System + group: 2 + description: The OS fields contain information about the operating system. + type: group + fields: + - name: family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: full + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: package + title: Package + group: 2 + description: These fields contain information about an installed software package. + It contains general information about a package, such as name, version or size. + It also contains installation details, such as time or location. + type: group + fields: + - name: architecture + level: extended + type: keyword + ignore_above: 1024 + description: Package architecture. + example: x86_64 + - name: build_version + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the build version of the installed + package. + + For example use the commit SHA of a non-released package.' + example: 36f4f7e89dd61b0988b12ee000b98966867710cd + default_field: false + - name: checksum + level: extended + type: keyword + ignore_above: 1024 + description: Checksum of the installed package for verification. + example: 68b329da9893e34099c7d8ad5cb9c940 + - name: description + level: extended + type: keyword + ignore_above: 1024 + description: Description of the package. + example: Open source programming language to build simple/reliable/efficient + software. + - name: install_scope + level: extended + type: keyword + ignore_above: 1024 + description: Indicating how the package was installed, e.g. user-local, global. + example: global + - name: installed + level: extended + type: date + description: Time when package was installed. + - name: license + level: extended + type: keyword + ignore_above: 1024 + description: 'License under which the package was released. + + Use a short name, e.g. the license identifier from SPDX License List where + possible (https://spdx.org/licenses/).' + example: Apache License 2.0 + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Package name + example: go + - name: path + level: extended + type: keyword + ignore_above: 1024 + description: Path where the package is installed. + example: /usr/local/Cellar/go/1.12.9/ + - name: reference + level: extended + type: keyword + ignore_above: 1024 + description: Home page or reference URL of the software in this package, if + available. + example: https://golang.org + default_field: false + - name: size + level: extended + type: long + format: string + description: Package size in bytes. + example: 62231 + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: 'Type of package. + + This should contain the package file type, rather than the package manager + name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.' + example: rpm + default_field: false + - name: version + level: extended + type: keyword + ignore_above: 1024 + description: Package version + example: 1.12.9 + - name: pe + title: PE Header + group: 2 + description: These fields contain Windows Portable Executable (PE) metadata. + type: group + fields: + - name: architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: process + title: Process + group: 2 + description: 'These fields contain information about a process. + + These fields can help you correlate metrics information with a process id/name + from a log message. The `process.pid` often stays in the metric itself and + is copied to the global field for correlation.' + type: group + fields: + - name: args + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + - name: args_count + level: extended + type: long + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: command_line + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: executable + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + - name: exit_code + level: extended + type: long + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + default_field: false + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + - name: name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + - name: parent.args + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + default_field: false + - name: parent.args_count + level: extended + type: long + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + default_field: false + - name: parent.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: parent.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: parent.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: parent.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: parent.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: parent.command_line + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: parent.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: parent.executable + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + default_field: false + - name: parent.exit_code + level: extended + type: long + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + default_field: false + - name: parent.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: parent.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: parent.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: parent.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: parent.name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + default_field: false + - name: parent.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: parent.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: parent.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: parent.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: parent.pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: parent.pe.original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: parent.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: parent.pgid + level: extended + type: long + format: string + description: Identifier of the group of processes the process belongs to. + default_field: false + - name: parent.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: parent.ppid + level: extended + type: long + format: string + description: Parent process' pid. + example: 4241 + default_field: false + - name: parent.start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: parent.thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 + default_field: false + - name: parent.thread.name + level: extended + type: keyword + ignore_above: 1024 + description: Thread name. + example: thread-0 + default_field: false + - name: parent.title + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + default_field: false + - name: parent.uptime + level: extended + type: long + description: Seconds the process has been up. + example: 1325 + default_field: false + - name: parent.working_directory + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: The working directory of the process. + example: /home/alice + default_field: false + - name: pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: pe.original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: pgid + level: extended + type: long + format: string + description: Identifier of the group of processes the process belongs to. + - name: pid + level: core + type: long + format: string + description: Process id. + example: 4242 + - name: ppid + level: extended + type: long + format: string + description: Parent process' pid. + example: 4241 + - name: start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + - name: thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 + - name: thread.name + level: extended + type: keyword + ignore_above: 1024 + description: Thread name. + example: thread-0 + - name: title + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + - name: uptime + level: extended + type: long + description: Seconds the process has been up. + example: 1325 + - name: working_directory + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: The working directory of the process. + example: /home/alice + - name: registry + title: Registry + group: 2 + description: Fields related to Windows Registry operations. + type: group + fields: + - name: data.bytes + level: extended + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + default_field: false + - name: data.strings + level: core + type: wildcard + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + default_field: false + - name: data.type + level: core + type: keyword + ignore_above: 1024 + description: Standard registry type for encoding contents + example: REG_SZ + default_field: false + - name: hive + level: core + type: keyword + ignore_above: 1024 + description: Abbreviated name for the hive. + example: HKLM + default_field: false + - name: key + level: core + type: wildcard + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: path + level: core + type: wildcard + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + default_field: false + - name: value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + default_field: false + - name: related + title: Related + group: 2 + description: 'This field set is meant to facilitate pivoting around a piece of + data. + + Some pieces of information can be seen in many places in an ECS event. To facilitate + searching for them, store an array of all seen values to their corresponding + field in `related.`. + + A concrete example is IP addresses, which can be under host, observer, source, + destination, client, server, and network.forwarded_ip. If you append all IPs + to `related.ip`, you can then search for a given IP trivially, no matter where + it appeared, by querying `related.ip:192.0.2.15`.' + type: group + fields: + - name: hash + level: extended + type: keyword + ignore_above: 1024 + description: All the hashes seen on your event. Populating this field, then + using it to search for hashes can help in situations where you're unsure what + the hash algorithm is (and therefore which key name to search). + default_field: false + - name: hosts + level: extended + type: keyword + ignore_above: 1024 + description: All hostnames or other host identifiers seen on your event. Example + identifiers include FQDNs, domain names, workstation names, or aliases. + default_field: false + - name: ip + level: extended + type: ip + description: All of the IPs seen on your event. + - name: user + level: extended + type: keyword + ignore_above: 1024 + description: All the user names seen on your event. + default_field: false + - name: rule + title: Rule + group: 2 + description: 'Rule fields are used to capture the specifics of any observer or + agent rules that generate alerts or other notable events. + + Examples of data sources that would populate the rule fields include: network + admission control platforms, network or host IDS/IPS, network firewalls, web + application firewalls, url filters, endpoint detection and response (EDR) systems, + etc.' + type: group + fields: + - name: author + level: extended + type: keyword + ignore_above: 1024 + description: Name, organization, or pseudonym of the author or authors who created + the rule used to generate this event. + example: '["Star-Lord"]' + default_field: false + - name: category + level: extended + type: keyword + ignore_above: 1024 + description: A categorization value keyword used by the entity using the rule + for detection of this event. + example: Attempted Information Leak + default_field: false + - name: description + level: extended + type: keyword + ignore_above: 1024 + description: The description of the rule generating the event. + example: Block requests to public DNS over HTTPS / TLS protocols + default_field: false + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: A rule ID that is unique within the scope of an agent, observer, + or other entity using the rule for detection of this event. + example: 101 + default_field: false + - name: license + level: extended + type: keyword + ignore_above: 1024 + description: Name of the license under which the rule used to generate this + event is made available. + example: Apache 2.0 + default_field: false + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: The name of the rule or signature generating the event. + example: BLOCK_DNS_over_TLS + default_field: false + - name: reference + level: extended + type: keyword + ignore_above: 1024 + description: 'Reference URL to additional information about the rule used to + generate this event. + + The URL can point to the vendor''s documentation about the rule. If that''s + not available, it can also be a link to a more general page describing this + type of alert.' + example: https://en.wikipedia.org/wiki/DNS_over_TLS + default_field: false + - name: ruleset + level: extended + type: keyword + ignore_above: 1024 + description: Name of the ruleset, policy, group, or parent category in which + the rule used to generate this event is a member. + example: Standard_Protocol_Filters + default_field: false + - name: uuid + level: extended + type: keyword + ignore_above: 1024 + description: A rule ID that is unique within the scope of a set or group of + agents, observers, or other entities using the rule for detection of this + event. + example: 1100110011 + default_field: false + - name: version + level: extended + type: keyword + ignore_above: 1024 + description: The version / revision of the rule being used for analysis. + example: 1.1 + default_field: false + - name: server + title: Server + group: 2 + description: 'A Server is defined as the responder in a network connection for + events regarding sessions, connections, or bidirectional flow records. + + For TCP events, the server is the receiver of the initial SYN packet(s) of the + TCP connection. For other protocols, the server is generally the responder in + the network transaction. Some systems actually use the term "responder" to refer + the server in TCP connections. The server fields describe details about the + system acting as the server in the network event. Server fields are usually + populated in conjunction with client fields. Server fields are generally not + populated for packet-level events. + + Client / server representations can add semantic context to an exchange, which + is helpful to visualize the data in certain situations. If your context falls + in that category, you should still ensure that source and destination are filled + appropriately.' + type: group + fields: + - name: address + level: extended + type: keyword + ignore_above: 1024 + description: 'Some event server addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + - name: as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: as.organization.name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC + - name: bytes + level: core + type: long + format: bytes + description: Bytes sent from the server to the client. + example: 184 + - name: domain + level: core + type: wildcard + description: Server domain. + - name: geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + - name: geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + - name: geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + - name: geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + - name: geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: geo.name + level: extended + type: wildcard + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + - name: geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + - name: geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + - name: ip + level: core + type: ip + description: IP address of the server (IPv4 or IPv6). + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: MAC address of the server. + - name: nat.ip + level: extended + type: ip + description: 'Translated ip of destination based NAT sessions (e.g. internet + to private DMZ) + + Typically used with load balancers, firewalls, or routers.' + - name: nat.port + level: extended + type: long + format: string + description: 'Translated port of destination based NAT sessions (e.g. internet + to private DMZ) + + Typically used with load balancers, firewalls, or routers.' + - name: packets + level: core + type: long + description: Packets sent from the server to the client. + example: 12 + - name: port + level: core + type: long + format: string + description: Port of the server. + - name: registered_domain + level: extended + type: wildcard + description: 'The highest registered server domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false + - name: top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + - name: user.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: user.email + level: extended + type: wildcard + description: User email address. + - name: user.full_name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: User's full name, if available. + example: Albert Einstein + - name: user.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: user.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: user.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: user.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + - name: user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + - name: user.name + level: core + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert + - name: user.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false + - name: service + title: Service + group: 2 + description: 'The service fields describe the service for or from which the data + was collected. + + These fields help you find and correlate logs for a specific service and version.' + type: group + fields: + - name: ephemeral_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Ephemeral identifier of this service (if one exists). + + This id normally changes across restarts, but `service.id` does not.' + example: 8a4f500f + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique identifier of the running service. If the service is comprised + of many nodes, the `service.id` should be the same for all nodes. + + This id should uniquely identify the service. This makes it possible to correlate + logs and metrics for one specific service, no matter which particular node + emitted the event. + + Note that if you need to see the events from one specific host of the service, + you should filter on that `host.name` or `host.id` instead.' + example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the service data is collected from. + + The name of the service is normally user given. This allows for distributed + services that run on multiple hosts to correlate the related instances based + on the name. + + In the case of Elasticsearch the `service.name` could contain the cluster + name. For Beats the `service.name` is by default a copy of the `service.type` + field if no name is specified.' + example: elasticsearch-metrics + - name: node.name + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of a service node. + + This allows for two nodes of the same service running on the same host to + be differentiated. Therefore, `service.node.name` should typically be unique + across nodes of a given service. + + In the case of Elasticsearch, the `service.node.name` could contain the unique + node name within the Elasticsearch cluster. In cases where the service doesn''t + have the concept of a node name, the host name or container name can be used + to distinguish running instances that make up this service. If those do not + provide uniqueness (e.g. multiple instances of the service running on the + same host) - the node name can be manually set.' + example: instance-0000000016 + - name: state + level: core + type: keyword + ignore_above: 1024 + description: Current state of the service. + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'The type of the service data is collected from. + + The type can be used to group and correlate logs and metrics from one service + type. + + Example: If logs or metrics are collected from Elasticsearch, `service.type` + would be `elasticsearch`.' + example: elasticsearch + - name: version + level: core + type: keyword + ignore_above: 1024 + description: 'Version of the service the data was collected from. + + This allows to look at a data set only for a specific version of a service.' + example: 3.2.4 + - name: source + title: Source + group: 2 + description: 'Source fields capture details about the sender of a network exchange/packet. + These fields are populated from a network event, packet, or other event containing + details of a network transaction. + + Source fields are usually populated in conjunction with destination fields. + The source and destination fields are considered the baseline and should always + be filled if an event contains source and destination details from a network + transaction. If the event also contains identification of the client and server + roles, then the client and server fields should also be populated.' + type: group + fields: + - name: address + level: extended + type: keyword + ignore_above: 1024 + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + - name: as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + - name: as.organization.name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Organization name. + example: Google LLC + - name: bytes + level: core + type: long + format: bytes + description: Bytes sent from the source to the destination. + example: 184 + - name: domain + level: core + type: wildcard + description: Source domain. + - name: geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + - name: geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + - name: geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + - name: geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + - name: geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: geo.name + level: extended + type: wildcard + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + - name: geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + - name: geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + - name: ip + level: core + type: ip + description: IP address of the source (IPv4 or IPv6). + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: MAC address of the source. + - name: nat.ip + level: extended + type: ip + description: 'Translated ip of source based NAT sessions (e.g. internal client + to internet) + + Typically connections traversing load balancers, firewalls, or routers.' + - name: nat.port + level: extended + type: long + format: string + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + - name: packets + level: core + type: long + description: Packets sent from the source to the destination. + example: 12 + - name: port + level: core + type: long + format: string + description: Port of the source. + - name: registered_domain + level: extended + type: wildcard + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false + - name: top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + - name: user.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: user.email + level: extended + type: wildcard + description: User email address. + - name: user.full_name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: User's full name, if available. + example: Albert Einstein + - name: user.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: user.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: user.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: user.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + - name: user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + - name: user.name + level: core + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert + - name: user.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false + - name: threat + title: Threat + group: 2 + description: "Fields to classify events and alerts according to a threat taxonomy\ + \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\ + \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\ + \ The threat.tactic.* are meant to capture the high level category of the threat\ + \ (e.g. \"impact\"). The threat.technique.* fields are meant to capture which\ + \ kind of approach is used by this detected threat, to accomplish the goal (e.g.\ + \ \"endpoint denial of service\")." + type: group + fields: + - name: framework + level: extended + type: keyword + ignore_above: 1024 + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + - name: tactic.id + level: extended + type: keyword + ignore_above: 1024 + description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ + \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" + example: TA0002 + - name: tactic.name + level: extended + type: keyword + ignore_above: 1024 + description: "Name of the type of tactic used by this threat. You can use a\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" + example: Execution + - name: tactic.reference + level: extended + type: keyword + ignore_above: 1024 + description: "The reference url of tactic used by this threat. You can use a\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ + \ )" + example: https://attack.mitre.org/tactics/TA0002/ + - name: technique.id + level: extended + type: keyword + ignore_above: 1024 + description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: T1059 + - name: technique.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: "The name of technique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: Command and Scripting Interpreter + - name: technique.reference + level: extended + type: keyword + ignore_above: 1024 + description: "The reference url of technique used by this threat. You can use\ + \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: https://attack.mitre.org/techniques/T1059/ + - name: technique.subtechnique.id + level: extended + type: keyword + ignore_above: 1024 + description: "The full id of subtechnique used by this threat. You can use a\ + \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: T1059.001 + default_field: false + - name: technique.subtechnique.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: "The name of subtechnique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: PowerShell + default_field: false + - name: technique.subtechnique.reference + level: extended + type: keyword + ignore_above: 1024 + description: "The reference url of subtechnique used by this threat. You can\ + \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: https://attack.mitre.org/techniques/T1059/001/ + default_field: false + - name: tls + title: TLS + group: 2 + description: Fields related to a TLS connection. These fields focus on the TLS + protocol itself and intentionally avoids in-depth analysis of the related x.509 + certificate files. + type: group + fields: + - name: cipher + level: extended + type: keyword + ignore_above: 1024 + description: String indicating the cipher used during the current connection. + example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + default_field: false + - name: client.certificate + level: extended + type: keyword + ignore_above: 1024 + description: PEM-encoded stand-alone certificate offered by the client. This + is usually mutually-exclusive of `client.certificate_chain` since this value + also exists in that list. + example: MII... + default_field: false + - name: client.certificate_chain + level: extended + type: keyword + ignore_above: 1024 + description: Array of PEM-encoded certificates that make up the certificate + chain offered by the client. This is usually mutually-exclusive of `client.certificate` + since that value should be the first certificate in the chain. + example: '["MII...", "MII..."]' + default_field: false + - name: client.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: Certificate fingerprint using the MD5 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + default_field: false + - name: client.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 9E393D93138888D288266C2D915214D1D1CCEB2A + default_field: false + - name: client.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: Certificate fingerprint using the SHA256 digest of DER-encoded + version of certificate offered by the client. For consistency with other hash + values, this value should be formatted as an uppercase hash. + example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + default_field: false + - name: client.issuer + level: extended + type: wildcard + description: Distinguished name of subject of the issuer of the x.509 certificate + presented by the client. + example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + default_field: false + - name: client.ja3 + level: extended + type: keyword + ignore_above: 1024 + description: A hash that identifies clients based on how they perform an SSL/TLS + handshake. + example: d4e5b18d6b55c71272893221c96ba240 + default_field: false + - name: client.not_after + level: extended + type: date + description: Date/Time indicating when client certificate is no longer considered + valid. + example: '2021-01-01T00:00:00.000Z' + default_field: false + - name: client.not_before + level: extended + type: date + description: Date/Time indicating when client certificate is first considered + valid. + example: '1970-01-01T00:00:00.000Z' + default_field: false + - name: client.server_name + level: extended + type: keyword + ignore_above: 1024 + description: Also called an SNI, this tells the server which hostname to which + the client is attempting to connect to. When this value is available, it should + get copied to `destination.domain`. + example: www.elastic.co + default_field: false + - name: client.subject + level: extended + type: wildcard + description: Distinguished name of subject of the x.509 certificate presented + by the client. + example: CN=myclient, OU=Documentation Team, DC=example, DC=com + default_field: false + - name: client.supported_ciphers + level: extended + type: keyword + ignore_above: 1024 + description: Array of ciphers offered by the client during the client hello. + example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "..."]' + default_field: false + - name: client.x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: client.x509.issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + default_field: false + - name: client.x509.issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: client.x509.issuer.distinguished_name + level: extended + type: wildcard + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: client.x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: client.x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: client.x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: client.x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: client.x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: client.x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: client.x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: client.x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: client.x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + default_field: false + - name: client.x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: client.x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: client.x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: client.x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: client.x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: client.x509.subject.distinguished_name + level: extended + type: wildcard + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: client.x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: client.x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: client.x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: client.x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: client.x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false + - name: curve + level: extended + type: keyword + ignore_above: 1024 + description: String indicating the curve used for the given cipher, when applicable. + example: secp256r1 + default_field: false + - name: established + level: extended + type: boolean + description: Boolean flag indicating if the TLS negotiation was successful and + transitioned to an encrypted tunnel. + default_field: false + - name: next_protocol + level: extended + type: keyword + ignore_above: 1024 + description: String indicating the protocol being tunneled. Per the values in + the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), + this string should be lower case. + example: http/1.1 + default_field: false + - name: resumed + level: extended + type: boolean + description: Boolean flag indicating if this TLS connection was resumed from + an existing TLS negotiation. + default_field: false + - name: server.certificate + level: extended + type: keyword + ignore_above: 1024 + description: PEM-encoded stand-alone certificate offered by the server. This + is usually mutually-exclusive of `server.certificate_chain` since this value + also exists in that list. + example: MII... + default_field: false + - name: server.certificate_chain + level: extended + type: keyword + ignore_above: 1024 + description: Array of PEM-encoded certificates that make up the certificate + chain offered by the server. This is usually mutually-exclusive of `server.certificate` + since that value should be the first certificate in the chain. + example: '["MII...", "MII..."]' + default_field: false + - name: server.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: Certificate fingerprint using the MD5 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + default_field: false + - name: server.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 9E393D93138888D288266C2D915214D1D1CCEB2A + default_field: false + - name: server.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: Certificate fingerprint using the SHA256 digest of DER-encoded + version of certificate offered by the server. For consistency with other hash + values, this value should be formatted as an uppercase hash. + example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + default_field: false + - name: server.issuer + level: extended + type: wildcard + description: Subject of the issuer of the x.509 certificate presented by the + server. + example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + default_field: false + - name: server.ja3s + level: extended + type: keyword + ignore_above: 1024 + description: A hash that identifies servers based on how they perform an SSL/TLS + handshake. + example: 394441ab65754e2207b1e1b457b3641d + default_field: false + - name: server.not_after + level: extended + type: date + description: Timestamp indicating when server certificate is no longer considered + valid. + example: '2021-01-01T00:00:00.000Z' + default_field: false + - name: server.not_before + level: extended + type: date + description: Timestamp indicating when server certificate is first considered + valid. + example: '1970-01-01T00:00:00.000Z' + default_field: false + - name: server.subject + level: extended + type: wildcard + description: Subject of the x.509 certificate presented by the server. + example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + default_field: false + - name: server.x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: server.x509.issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + default_field: false + - name: server.x509.issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: server.x509.issuer.distinguished_name + level: extended + type: wildcard + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: server.x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: server.x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: server.x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: server.x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: server.x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: server.x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: server.x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: server.x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: server.x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + default_field: false + - name: server.x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: server.x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: server.x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: server.x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: server.x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: server.x509.subject.distinguished_name + level: extended + type: wildcard + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: server.x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: server.x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: server.x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: server.x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: server.x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false + - name: version + level: extended + type: keyword + ignore_above: 1024 + description: Numeric part of the version parsed from the original string. + example: '1.2' + default_field: false + - name: version_protocol + level: extended + type: keyword + ignore_above: 1024 + description: Normalized lowercase protocol name parsed from original string. + example: tls + default_field: false + - name: tracing + title: Tracing + group: 2 + description: Distributed tracing makes it possible to analyze performance throughout + a microservice architecture all in one view. This is accomplished by tracing + all of the requests - from the initial web request in the front-end service + - to queries made through multiple back-end services. + type: group + fields: + - name: span.id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier of the span within the scope of its trace. + + A span represents an operation within a transaction, such as a request to + another service, or a database query.' + example: 3ff9a8981b7ccd5a + default_field: false + - name: trace.id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier of the trace. + + A trace groups multiple events like transactions that belong together. For + example, a user request handled by multiple inter-connected services.' + example: 4bf92f3577b34da6a3ce929d0e0e4736 + - name: transaction.id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier of the transaction within the scope of its trace. + + A transaction is the highest level of work measured within a service, such + as a request to a server.' + example: 00f067aa0ba902b7 + - name: url + title: URL + group: 2 + description: URL fields provide support for complete or partial URLs, and supports + the breaking down into scheme, domain, path, and so on. + type: group + fields: + - name: domain + level: extended + type: wildcard + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field.' + example: www.elastic.co + - name: extension + level: extended + type: keyword + ignore_above: 1024 + description: 'The field contains the file extension from the original request + url. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png".' + example: png + - name: fragment + level: extended + type: keyword + ignore_above: 1024 + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + - name: full + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + - name: original + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + - name: password + level: extended + type: keyword + ignore_above: 1024 + description: Password of the request. + - name: path + level: extended + type: wildcard + description: Path of the request, such as "/search". + - name: port + level: extended + type: long + format: string + description: Port of the request, such as 443. + example: 443 + - name: query + level: extended + type: keyword + ignore_above: 1024 + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' + - name: registered_domain + level: extended + type: wildcard + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + - name: scheme + level: extended + type: keyword + ignore_above: 1024 + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + - name: subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false + - name: top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + - name: username + level: extended + type: keyword + ignore_above: 1024 + description: Username of the request. + - name: user + title: User + group: 2 + description: 'The user fields describe information about the user that is relevant + to the event. + + Fields can have one entry or multiple entries. If a user has more than one id, + provide an array that includes all of them.' + type: group + fields: + - name: changes.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: changes.email + level: extended + type: wildcard + description: User email address. + default_field: false + - name: changes.full_name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: User's full name, if available. + example: Albert Einstein + default_field: false + - name: changes.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: changes.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: changes.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: changes.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + default_field: false + - name: changes.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + default_field: false + - name: changes.name + level: core + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Short name or login of the user. + example: albert + default_field: false + - name: changes.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: effective.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: effective.email + level: extended + type: wildcard + description: User email address. + default_field: false + - name: effective.full_name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: User's full name, if available. + example: Albert Einstein + default_field: false + - name: effective.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: effective.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: effective.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: effective.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + default_field: false + - name: effective.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + default_field: false + - name: effective.name + level: core + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Short name or login of the user. + example: albert + default_field: false + - name: effective.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false + - name: email + level: extended + type: wildcard + description: User email address. + - name: full_name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: User's full name, if available. + example: Albert Einstein + - name: group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + - name: name + level: core + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert + - name: roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false + - name: target.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: target.email + level: extended + type: wildcard + description: User email address. + default_field: false + - name: target.full_name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: User's full name, if available. + example: Albert Einstein + default_field: false + - name: target.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: target.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: target.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: target.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + default_field: false + - name: target.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + default_field: false + - name: target.name + level: core + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Short name or login of the user. + example: albert + default_field: false + - name: target.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false + - name: user_agent + title: User agent + group: 2 + description: 'The user_agent fields normally come from a browser request. + + They often show up in web service logs coming from the parsed user agent string.' + type: group + fields: + - name: device.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the device. + example: iPhone + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the user agent. + example: Safari + - name: original + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Unparsed user_agent string. + example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 + (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.full + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the user agent. + example: 12.0 + - name: vlan + title: VLAN + group: 2 + description: 'The VLAN fields are used to identify 802.1q tag(s) of a packet, + as well as ingress and egress VLAN associations of an observer in relation to + a specific packet or connection. + + Network.vlan fields are used to record a single VLAN tag, or the outer tag in + the case of q-in-q encapsulations, for a packet or connection as observed, typically + provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. + + Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple + 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. + Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should + only be used in addition to network.vlan fields to indicate q-in-q tagging. + + Observer.ingress and observer.egress VLAN values are used to record observer + specific information when observer events contain discrete ingress and egress + VLAN information, typically provided by firewalls, routers, or load balancers.' + type: group + fields: + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false + - name: vulnerability + title: Vulnerability + group: 2 + description: The vulnerability fields describe information about a vulnerability + that is relevant to an event. + type: group + fields: + - name: category + level: extended + type: keyword + ignore_above: 1024 + description: 'The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys + vulnerability categories]) + + This field must be an array.' + example: '["Firewall"]' + default_field: false + - name: classification + level: extended + type: keyword + ignore_above: 1024 + description: The classification of the vulnerability scoring system. For example + (https://www.first.org/cvss/) + example: CVSS + default_field: false + - name: description + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: The description of the vulnerability that provides additional context + of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common + Vulnerabilities and Exposure CVE description]) + example: In macOS before 2.12.6, there is a vulnerability in the RPC... + default_field: false + - name: enumeration + level: extended + type: keyword + ignore_above: 1024 + description: The type of identifier used for this vulnerability. For example + (https://cve.mitre.org/about/) + example: CVE + default_field: false + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: The identification (ID) is the number portion of a vulnerability + entry. It includes a unique identification number for the vulnerability. For + example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities + and Exposure CVE ID] + example: CVE-2019-00001 + default_field: false + - name: reference + level: extended + type: keyword + ignore_above: 1024 + description: A resource that provides additional information, context, and mitigations + for the identified vulnerability. + example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 + default_field: false + - name: report_id + level: extended + type: keyword + ignore_above: 1024 + description: The report or scan identification number. + example: 20191018.0001 + default_field: false + - name: scanner.vendor + level: extended + type: keyword + ignore_above: 1024 + description: The name of the vulnerability scanner vendor. + example: Tenable + default_field: false + - name: score.base + level: extended + type: float + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentiality, + integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)' + example: 5.5 + default_field: false + - name: score.environmental + level: extended + type: float + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)' + example: 5.5 + default_field: false + - name: score.temporal + level: extended + type: float + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (https://www.first.org/cvss/specification-document)' + default_field: false + - name: score.version + level: extended + type: keyword + ignore_above: 1024 + description: 'The National Vulnerability Database (NVD) provides qualitative + severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score + ranges in addition to the severity ratings for CVSS v3.0 as they are defined + in the CVSS v3.0 specification. + + CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit + organization, whose mission is to help computer security incident response + teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)' + example: 2.0 + default_field: false + - name: severity + level: extended + type: keyword + ignore_above: 1024 + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical + default_field: false + - name: x509 + title: x509 Certificate + group: 2 + description: This implements the common core fields for x509 certificates. This + information is likely logged with TLS sessions, digital signatures found in + executable binaries, S/MIME information in email bodies, or analysis of files + on disk. When only a single certificate is logged in an event, it should be + nested under `file`. When hashes of the DER-encoded certificate are available, + the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For + events that contain certificate information for both sides of the connection, + the x509 object could be nested under the respective side of the connection + information (e.g. `tls.server.x509`). + type: group + fields: + - name: alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + default_field: false + - name: issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: issuer.distinguished_name + level: extended + type: wildcard + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + default_field: false + - name: public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: subject.distinguished_name + level: extended + type: wildcard + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv new file mode 100644 index 0000000000..62979dd9b5 --- /dev/null +++ b/experimental/generated/csv/fields.csv @@ -0,0 +1,720 @@ +ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description +1.7.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +1.7.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +1.7.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. +1.7.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +1.7.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +1.7.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +1.7.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +1.7.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +1.7.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +1.7.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +1.7.0-dev,true,client,client.address,keyword,extended,,,Client network address. +1.7.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.7.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.7.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.7.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +1.7.0-dev,true,client,client.domain,wildcard,core,,,Client domain. +1.7.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +1.7.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +1.7.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.7.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +1.7.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.7.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.7.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.7.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +1.7.0-dev,true,client,client.ip,ip,core,,,IP address of the client. +1.7.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. +1.7.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +1.7.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port +1.7.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +1.7.0-dev,true,client,client.port,long,core,,,Port of the client. +1.7.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +1.7.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +1.7.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.7.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.7.0-dev,true,client,client.user.email,wildcard,extended,,,User email address. +1.7.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.7.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. +1.7.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. +1.7.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. +1.7.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.7.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +1.7.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +1.7.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. +1.7.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +1.7.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +1.7.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +1.7.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +1.7.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +1.7.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +1.7.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +1.7.0-dev,true,container,container.id,keyword,core,,,Unique container id. +1.7.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +1.7.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. +1.7.0-dev,true,container,container.labels,object,extended,,,Image labels. +1.7.0-dev,true,container,container.name,keyword,extended,,,Container name. +1.7.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +1.7.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. +1.7.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.7.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.7.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.7.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +1.7.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain. +1.7.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +1.7.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +1.7.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.7.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +1.7.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.7.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.7.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.7.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +1.7.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. +1.7.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. +1.7.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +1.7.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +1.7.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +1.7.0-dev,true,destination,destination.port,long,core,,,Port of the destination. +1.7.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +1.7.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +1.7.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.7.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.7.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address. +1.7.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.7.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. +1.7.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. +1.7.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +1.7.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.7.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.7.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.7.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.7.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.7.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.7.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +1.7.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +1.7.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +1.7.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +1.7.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +1.7.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +1.7.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.7.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.7.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.7.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.7.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.7.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.7.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.7.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +1.7.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. +1.7.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +1.7.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +1.7.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +1.7.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +1.7.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +1.7.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +1.7.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +1.7.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. +1.7.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +1.7.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +1.7.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.7.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +1.7.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +1.7.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +1.7.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +1.7.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +1.7.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. +1.7.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. +1.7.0-dev,true,error,error.message,text,core,,,Error message. +1.7.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +1.7.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +1.7.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +1.7.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +1.7.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +1.7.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. +1.7.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +1.7.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +1.7.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +1.7.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +1.7.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +1.7.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +1.7.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +1.7.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +1.7.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +1.7.0-dev,false,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +1.7.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +1.7.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. +1.7.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +1.7.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +1.7.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +1.7.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +1.7.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. +1.7.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. +1.7.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +1.7.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. +1.7.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +1.7.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +1.7.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. +1.7.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.7.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.7.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.7.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.7.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.7.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.7.0-dev,true,file,file.created,date,extended,,,File creation time. +1.7.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.7.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +1.7.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +1.7.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.7.0-dev,true,file,file.extension,keyword,extended,,png,File extension. +1.7.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.7.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +1.7.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +1.7.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +1.7.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +1.7.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +1.7.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.7.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +1.7.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.7.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. +1.7.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.7.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. +1.7.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.7.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.7.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.7.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.7.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.7.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.7.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.7.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.7.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.7.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. +1.7.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. +1.7.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. +1.7.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.7.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.7.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.7.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.7.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.7.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.7.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.7.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.7.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.7.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.7.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.7.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.7.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.7.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.7.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.7.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.7.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.7.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.7.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.7.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.7.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.7.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.7.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.7.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.7.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.7.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +1.7.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,group,group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +1.7.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +1.7.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +1.7.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +1.7.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.7.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +1.7.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.7.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.7.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.7.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +1.7.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host. +1.7.0-dev,true,host,host.id,keyword,core,,,Unique host id. +1.7.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. +1.7.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. +1.7.0-dev,true,host,host.name,keyword,core,,,Name of the host. +1.7.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.7.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.7.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.7.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.7.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.7.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.7.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.7.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.7.0-dev,true,host,host.type,keyword,core,,,Type of host. +1.7.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +1.7.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.7.0-dev,true,host,host.user.email,wildcard,extended,,,User email address. +1.7.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.7.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. +1.7.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. +1.7.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. +1.7.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.7.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +1.7.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. +1.7.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. +1.7.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +1.7.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. +1.7.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +1.7.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. +1.7.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +1.7.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. +1.7.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. +1.7.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +1.7.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +1.7.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +1.7.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. +1.7.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +1.7.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. +1.7.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +1.7.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. +1.7.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +1.7.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +1.7.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." +1.7.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata +1.7.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +1.7.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +1.7.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +1.7.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +1.7.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +1.7.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. +1.7.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +1.7.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +1.7.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +1.7.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +1.7.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +1.7.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information +1.7.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.7.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.7.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +1.7.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +1.7.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. +1.7.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +1.7.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +1.7.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.7.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.7.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information +1.7.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +1.7.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +1.7.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +1.7.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.7.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.7.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +1.7.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +1.7.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +1.7.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.7.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +1.7.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.7.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.7.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.7.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +1.7.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +1.7.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information +1.7.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +1.7.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +1.7.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +1.7.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.7.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.7.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +1.7.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +1.7.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer +1.7.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +1.7.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.7.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.7.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.7.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.7.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.7.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.7.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.7.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.7.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +1.7.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +1.7.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +1.7.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +1.7.0-dev,true,observer,observer.version,keyword,core,,,Observer version. +1.7.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +1.7.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name. +1.7.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. +1.7.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +1.7.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +1.7.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +1.7.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +1.7.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +1.7.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. +1.7.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +1.7.0-dev,true,package,package.name,keyword,extended,,go,Package name +1.7.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +1.7.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +1.7.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. +1.7.0-dev,true,package,package.type,keyword,extended,,rpm,Package type +1.7.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version +1.7.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.7.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. +1.7.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.7.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.7.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.7.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.7.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.7.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.7.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.7.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.7.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.7.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.7.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. +1.7.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +1.7.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +1.7.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +1.7.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +1.7.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name. +1.7.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. +1.7.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.7.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +1.7.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.7.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.7.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.7.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.7.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.7.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.7.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.7.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.7.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.7.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.7.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +1.7.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +1.7.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +1.7.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +1.7.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +1.7.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name. +1.7.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. +1.7.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.7.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.7.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.7.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.7.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.7.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.7.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.7.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.7.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. +1.7.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. +1.7.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.7.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +1.7.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. +1.7.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title. +1.7.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. +1.7.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +1.7.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +1.7.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.7.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.7.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.7.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.7.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.7.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.7.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.7.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.7.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.7.0-dev,true,process,process.pid,long,core,,4242,Process id. +1.7.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. +1.7.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.7.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. +1.7.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. +1.7.0-dev,true,process,process.title,wildcard,extended,,,Process title. +1.7.0-dev,true,process,process.title.text,text,extended,,,Process title. +1.7.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +1.7.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +1.7.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.7.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.7.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.7.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.7.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.7.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.7.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.7.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +1.7.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +1.7.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +1.7.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +1.7.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. +1.7.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +1.7.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +1.7.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +1.7.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID +1.7.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +1.7.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +1.7.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +1.7.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +1.7.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +1.7.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version +1.7.0-dev,true,server,server.address,keyword,extended,,,Server network address. +1.7.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.7.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.7.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.7.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +1.7.0-dev,true,server,server.domain,wildcard,core,,,Server domain. +1.7.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +1.7.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +1.7.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.7.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +1.7.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.7.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.7.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.7.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +1.7.0-dev,true,server,server.ip,ip,core,,,IP address of the server. +1.7.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. +1.7.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip +1.7.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port +1.7.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +1.7.0-dev,true,server,server.port,long,core,,,Port of the server. +1.7.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +1.7.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +1.7.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.7.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.7.0-dev,true,server,server.user.email,wildcard,extended,,,User email address. +1.7.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.7.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. +1.7.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. +1.7.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. +1.7.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.7.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +1.7.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +1.7.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +1.7.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +1.7.0-dev,true,service,service.state,keyword,core,,,Current state of the service. +1.7.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +1.7.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. +1.7.0-dev,true,source,source.address,keyword,extended,,,Source network address. +1.7.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.7.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.7.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.7.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +1.7.0-dev,true,source,source.domain,wildcard,core,,,Source domain. +1.7.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +1.7.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +1.7.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.7.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +1.7.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.7.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.7.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.7.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +1.7.0-dev,true,source,source.ip,ip,core,,,IP address of the source. +1.7.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. +1.7.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip +1.7.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port +1.7.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +1.7.0-dev,true,source,source.port,long,core,,,Port of the source. +1.7.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +1.7.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +1.7.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.7.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.7.0-dev,true,source,source.user.email,wildcard,extended,,,User email address. +1.7.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.7.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. +1.7.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. +1.7.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. +1.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +1.7.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. +1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +1.7.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +1.7.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +1.7.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. +1.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +1.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +1.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +1.7.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +1.7.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +1.7.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +1.7.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +1.7.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +1.7.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +1.7.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +1.7.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +1.7.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +1.7.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +1.7.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.7.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.7.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.7.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.7.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.7.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.7.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.7.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.7.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.7.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.7.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.7.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.7.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.7.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.7.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.7.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.7.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.7.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.7.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.7.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.7.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.7.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.7.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.7.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +1.7.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +1.7.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +1.7.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +1.7.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +1.7.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +1.7.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +1.7.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +1.7.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +1.7.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +1.7.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +1.7.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +1.7.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +1.7.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +1.7.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +1.7.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.7.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.7.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.7.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.7.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.7.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.7.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.7.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.7.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.7.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.7.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.7.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.7.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.7.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.7.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.7.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.7.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.7.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.7.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.7.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.7.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.7.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.7.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.7.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +1.7.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +1.7.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +1.7.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +1.7.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +1.7.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. +1.7.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url. +1.7.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +1.7.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.7.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.7.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.7.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.7.0-dev,true,url,url.password,keyword,extended,,,Password of the request. +1.7.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +1.7.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +1.7.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. +1.7.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.7.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +1.7.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +1.7.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.7.0-dev,true,url,url.username,keyword,extended,,,Username of the request. +1.7.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +1.7.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address. +1.7.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.7.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. +1.7.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. +1.7.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. +1.7.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.7.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.7.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +1.7.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address. +1.7.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.7.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. +1.7.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. +1.7.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. +1.7.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.7.0-dev,true,user,user.email,wildcard,extended,,,User email address. +1.7.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.7.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. +1.7.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user. +1.7.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. +1.7.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.7.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +1.7.0-dev,true,user,user.target.email,wildcard,extended,,,User email address. +1.7.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.7.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.7.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.7.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. +1.7.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.7.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user. +1.7.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. +1.7.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. +1.7.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.7.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +1.7.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +1.7.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.7.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.7.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.7.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.7.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.7.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.7.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.7.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.7.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.7.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.7.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +1.7.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +1.7.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +1.7.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.7.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.7.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +1.7.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +1.7.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +1.7.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +1.7.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +1.7.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +1.7.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +1.7.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +1.7.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +1.7.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml new file mode 100644 index 0000000000..5f27925261 --- /dev/null +++ b/experimental/generated/ecs/ecs_flat.yml @@ -0,0 +1,8956 @@ +'@timestamp': + dashed_name: -timestamp + description: 'Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when the + event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events.' + example: '2016-05-23T08:05:34.853Z' + flat_name: '@timestamp' + level: core + name: '@timestamp' + normalize: [] + required: true + short: Date/time when the event originated. + type: date +agent.build.original: + dashed_name: agent-build-original + description: 'Extended build information for the agent. + + This field is intended to contain any build information that a data source may + provide, no specific formatting is required.' + example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c + built 2020-02-05 23:10:10 +0000 UTC] + flat_name: agent.build.original + level: core + name: build.original + normalize: [] + short: Extended build information for the agent. + type: wildcard +agent.ephemeral_id: + dashed_name: agent-ephemeral-id + description: 'Ephemeral identifier of this agent (if one exists). + + This id normally changes across restarts, but `agent.id` does not.' + example: 8a4f500f + flat_name: agent.ephemeral_id + ignore_above: 1024 + level: extended + name: ephemeral_id + normalize: [] + short: Ephemeral identifier of this agent. + type: keyword +agent.id: + dashed_name: agent-id + description: 'Unique identifier of this agent (if one exists). + + Example: For Beats this would be beat.id.' + example: 8a4f500d + flat_name: agent.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique identifier of this agent. + type: keyword +agent.name: + dashed_name: agent-name + description: 'Custom name of the agent. + + This is a name that can be given to an agent. This can be helpful if for example + two Filebeat instances are running on the same host but a human readable separation + is needed on which Filebeat instance data is coming from. + + If no name is given, the name is often left empty.' + example: foo + flat_name: agent.name + ignore_above: 1024 + level: core + name: name + normalize: [] + short: Custom name of the agent. + type: keyword +agent.type: + dashed_name: agent-type + description: 'Type of the agent. + + The agent type always stays the same and should be given by the agent used. In + case of Filebeat the agent would always be Filebeat also if two Filebeat instances + are run on the same machine.' + example: filebeat + flat_name: agent.type + ignore_above: 1024 + level: core + name: type + normalize: [] + short: Type of the agent. + type: keyword +agent.version: + dashed_name: agent-version + description: Version of the agent. + example: 6.0.0-rc2 + flat_name: agent.version + ignore_above: 1024 + level: core + name: version + normalize: [] + short: Version of the agent. + type: keyword +client.address: + dashed_name: client-address + description: 'Some event client addresses are defined ambiguously. The event will + sometimes list an IP, a domain or a unix socket. You should always store the + raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: client.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + short: Client network address. + type: keyword +client.as.number: + dashed_name: client-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: client.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +client.as.organization.name: + dashed_name: client-as-organization-name + description: Organization name. + example: Google LLC + flat_name: client.as.organization.name + level: extended + multi_fields: + - flat_name: client.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard +client.bytes: + dashed_name: client-bytes + description: Bytes sent from the client to the server. + example: 184 + flat_name: client.bytes + format: bytes + level: core + name: bytes + normalize: [] + short: Bytes sent from the client to the server. + type: long +client.domain: + dashed_name: client-domain + description: Client domain. + flat_name: client.domain + level: core + name: domain + normalize: [] + short: Client domain. + type: wildcard +client.geo.city_name: + dashed_name: client-geo-city-name + description: City name. + example: Montreal + flat_name: client.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +client.geo.continent_name: + dashed_name: client-geo-continent-name + description: Name of the continent. + example: North America + flat_name: client.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +client.geo.country_iso_code: + dashed_name: client-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: client.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +client.geo.country_name: + dashed_name: client-geo-country-name + description: Country name. + example: Canada + flat_name: client.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +client.geo.location: + dashed_name: client-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: client.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +client.geo.name: + dashed_name: client-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: client.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard +client.geo.region_iso_code: + dashed_name: client-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: client.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +client.geo.region_name: + dashed_name: client-geo-region-name + description: Region name. + example: Quebec + flat_name: client.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +client.ip: + dashed_name: client-ip + description: IP address of the client (IPv4 or IPv6). + flat_name: client.ip + level: core + name: ip + normalize: [] + short: IP address of the client. + type: ip +client.mac: + dashed_name: client-mac + description: MAC address of the client. + flat_name: client.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + short: MAC address of the client. + type: keyword +client.nat.ip: + dashed_name: client-nat-ip + description: 'Translated IP of source based NAT sessions (e.g. internal client to + internet). + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: client.nat.ip + level: extended + name: nat.ip + normalize: [] + short: Client NAT ip address + type: ip +client.nat.port: + dashed_name: client-nat-port + description: 'Translated port of source based NAT sessions (e.g. internal client + to internet). + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: client.nat.port + format: string + level: extended + name: nat.port + normalize: [] + short: Client NAT port + type: long +client.packets: + dashed_name: client-packets + description: Packets sent from the client to the server. + example: 12 + flat_name: client.packets + level: core + name: packets + normalize: [] + short: Packets sent from the client to the server. + type: long +client.port: + dashed_name: client-port + description: Port of the client. + flat_name: client.port + format: string + level: core + name: port + normalize: [] + short: Port of the client. + type: long +client.registered_domain: + dashed_name: client-registered-domain + description: 'The highest registered client domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: client.registered_domain + level: extended + name: registered_domain + normalize: [] + short: The highest registered client domain, stripped of the subdomain. + type: wildcard +client.subdomain: + dashed_name: client-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: client.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword +client.top_level_domain: + dashed_name: client-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: client.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + short: The effective top level domain (com, org, net, co.uk). + type: keyword +client.user.domain: + dashed_name: client-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: client.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +client.user.email: + dashed_name: client-user-email + description: User email address. + flat_name: client.user.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard +client.user.full_name: + dashed_name: client-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: client.user.full_name + level: extended + multi_fields: + - flat_name: client.user.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard +client.user.group.domain: + dashed_name: client-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: client.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +client.user.group.id: + dashed_name: client-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: client.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +client.user.group.name: + dashed_name: client-user-group-name + description: Name of the group. + flat_name: client.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +client.user.hash: + dashed_name: client-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: client.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +client.user.id: + dashed_name: client-user-id + description: Unique identifier of the user. + flat_name: client.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +client.user.name: + dashed_name: client-user-name + description: Short name or login of the user. + example: albert + flat_name: client.user.name + level: core + multi_fields: + - flat_name: client.user.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard +client.user.roles: + dashed_name: client-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: client.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword +cloud.account.id: + dashed_name: cloud-account-id + description: 'The cloud account or organization id used to identify different entities + in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + flat_name: cloud.account.id + ignore_above: 1024 + level: extended + name: account.id + normalize: [] + short: The cloud account or organization id. + type: keyword +cloud.account.name: + dashed_name: cloud-account-name + description: 'The cloud account name or alias used to identify different entities + in a multi-tenant environment. + + Examples: AWS account name, Google Cloud ORG display name.' + example: elastic-dev + flat_name: cloud.account.name + ignore_above: 1024 + level: extended + name: account.name + normalize: [] + short: The cloud account name. + type: keyword +cloud.availability_zone: + dashed_name: cloud-availability-zone + description: Availability zone in which this host is running. + example: us-east-1c + flat_name: cloud.availability_zone + ignore_above: 1024 + level: extended + name: availability_zone + normalize: [] + short: Availability zone in which this host is running. + type: keyword +cloud.instance.id: + dashed_name: cloud-instance-id + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + flat_name: cloud.instance.id + ignore_above: 1024 + level: extended + name: instance.id + normalize: [] + short: Instance ID of the host machine. + type: keyword +cloud.instance.name: + dashed_name: cloud-instance-name + description: Instance name of the host machine. + flat_name: cloud.instance.name + ignore_above: 1024 + level: extended + name: instance.name + normalize: [] + short: Instance name of the host machine. + type: keyword +cloud.machine.type: + dashed_name: cloud-machine-type + description: Machine type of the host machine. + example: t2.medium + flat_name: cloud.machine.type + ignore_above: 1024 + level: extended + name: machine.type + normalize: [] + short: Machine type of the host machine. + type: keyword +cloud.project.id: + dashed_name: cloud-project-id + description: 'The cloud project identifier. + + Examples: Google Cloud Project id, Azure Project id.' + example: my-project + flat_name: cloud.project.id + ignore_above: 1024 + level: extended + name: project.id + normalize: [] + short: The cloud project id. + type: keyword +cloud.project.name: + dashed_name: cloud-project-name + description: 'The cloud project name. + + Examples: Google Cloud Project name, Azure Project name.' + example: my project + flat_name: cloud.project.name + ignore_above: 1024 + level: extended + name: project.name + normalize: [] + short: The cloud project name. + type: keyword +cloud.provider: + dashed_name: cloud-provider + description: Name of the cloud provider. Example values are aws, azure, gcp, or + digitalocean. + example: aws + flat_name: cloud.provider + ignore_above: 1024 + level: extended + name: provider + normalize: [] + short: Name of the cloud provider. + type: keyword +cloud.region: + dashed_name: cloud-region + description: Region in which this host is running. + example: us-east-1 + flat_name: cloud.region + ignore_above: 1024 + level: extended + name: region + normalize: [] + short: Region in which this host is running. + type: keyword +container.id: + dashed_name: container-id + description: Unique container id. + flat_name: container.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique container id. + type: keyword +container.image.name: + dashed_name: container-image-name + description: Name of the image the container was built on. + flat_name: container.image.name + ignore_above: 1024 + level: extended + name: image.name + normalize: [] + short: Name of the image the container was built on. + type: keyword +container.image.tag: + dashed_name: container-image-tag + description: Container image tags. + flat_name: container.image.tag + ignore_above: 1024 + level: extended + name: image.tag + normalize: + - array + short: Container image tags. + type: keyword +container.labels: + dashed_name: container-labels + description: Image labels. + flat_name: container.labels + level: extended + name: labels + normalize: [] + object_type: keyword + short: Image labels. + type: object +container.name: + dashed_name: container-name + description: Container name. + flat_name: container.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Container name. + type: keyword +container.runtime: + dashed_name: container-runtime + description: Runtime managing this container. + example: docker + flat_name: container.runtime + ignore_above: 1024 + level: extended + name: runtime + normalize: [] + short: Runtime managing this container. + type: keyword +destination.address: + dashed_name: destination-address + description: 'Some event destination addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: destination.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + short: Destination network address. + type: keyword +destination.as.number: + dashed_name: destination-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: destination.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +destination.as.organization.name: + dashed_name: destination-as-organization-name + description: Organization name. + example: Google LLC + flat_name: destination.as.organization.name + level: extended + multi_fields: + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard +destination.bytes: + dashed_name: destination-bytes + description: Bytes sent from the destination to the source. + example: 184 + flat_name: destination.bytes + format: bytes + level: core + name: bytes + normalize: [] + short: Bytes sent from the destination to the source. + type: long +destination.domain: + dashed_name: destination-domain + description: Destination domain. + flat_name: destination.domain + level: core + name: domain + normalize: [] + short: Destination domain. + type: wildcard +destination.geo.city_name: + dashed_name: destination-geo-city-name + description: City name. + example: Montreal + flat_name: destination.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +destination.geo.continent_name: + dashed_name: destination-geo-continent-name + description: Name of the continent. + example: North America + flat_name: destination.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +destination.geo.country_iso_code: + dashed_name: destination-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: destination.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +destination.geo.country_name: + dashed_name: destination-geo-country-name + description: Country name. + example: Canada + flat_name: destination.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +destination.geo.location: + dashed_name: destination-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: destination.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +destination.geo.name: + dashed_name: destination-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: destination.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard +destination.geo.region_iso_code: + dashed_name: destination-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: destination.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +destination.geo.region_name: + dashed_name: destination-geo-region-name + description: Region name. + example: Quebec + flat_name: destination.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +destination.ip: + dashed_name: destination-ip + description: IP address of the destination (IPv4 or IPv6). + flat_name: destination.ip + level: core + name: ip + normalize: [] + short: IP address of the destination. + type: ip +destination.mac: + dashed_name: destination-mac + description: MAC address of the destination. + flat_name: destination.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + short: MAC address of the destination. + type: keyword +destination.nat.ip: + dashed_name: destination-nat-ip + description: 'Translated ip of destination based NAT sessions (e.g. internet to + private DMZ) + + Typically used with load balancers, firewalls, or routers.' + flat_name: destination.nat.ip + level: extended + name: nat.ip + normalize: [] + short: Destination NAT ip + type: ip +destination.nat.port: + dashed_name: destination-nat-port + description: 'Port the source session is translated to by NAT Device. + + Typically used with load balancers, firewalls, or routers.' + flat_name: destination.nat.port + format: string + level: extended + name: nat.port + normalize: [] + short: Destination NAT Port + type: long +destination.packets: + dashed_name: destination-packets + description: Packets sent from the destination to the source. + example: 12 + flat_name: destination.packets + level: core + name: packets + normalize: [] + short: Packets sent from the destination to the source. + type: long +destination.port: + dashed_name: destination-port + description: Port of the destination. + flat_name: destination.port + format: string + level: core + name: port + normalize: [] + short: Port of the destination. + type: long +destination.registered_domain: + dashed_name: destination-registered-domain + description: 'The highest registered destination domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: destination.registered_domain + level: extended + name: registered_domain + normalize: [] + short: The highest registered destination domain, stripped of the subdomain. + type: wildcard +destination.subdomain: + dashed_name: destination-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: destination.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword +destination.top_level_domain: + dashed_name: destination-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: destination.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + short: The effective top level domain (com, org, net, co.uk). + type: keyword +destination.user.domain: + dashed_name: destination-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: destination.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +destination.user.email: + dashed_name: destination-user-email + description: User email address. + flat_name: destination.user.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard +destination.user.full_name: + dashed_name: destination-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: destination.user.full_name + level: extended + multi_fields: + - flat_name: destination.user.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard +destination.user.group.domain: + dashed_name: destination-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: destination.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +destination.user.group.id: + dashed_name: destination-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: destination.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +destination.user.group.name: + dashed_name: destination-user-group-name + description: Name of the group. + flat_name: destination.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +destination.user.hash: + dashed_name: destination-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: destination.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +destination.user.id: + dashed_name: destination-user-id + description: Unique identifier of the user. + flat_name: destination.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +destination.user.name: + dashed_name: destination-user-name + description: Short name or login of the user. + example: albert + flat_name: destination.user.name + level: core + multi_fields: + - flat_name: destination.user.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard +destination.user.roles: + dashed_name: destination-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: destination.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword +dll.code_signature.exists: + dashed_name: dll-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: dll.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +dll.code_signature.status: + dashed_name: dll-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: dll.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +dll.code_signature.subject_name: + dashed_name: dll-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: dll.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +dll.code_signature.trusted: + dashed_name: dll-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: dll.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +dll.code_signature.valid: + dashed_name: dll-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: dll.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +dll.hash.md5: + dashed_name: dll-hash-md5 + description: MD5 hash. + flat_name: dll.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +dll.hash.sha1: + dashed_name: dll-hash-sha1 + description: SHA1 hash. + flat_name: dll.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +dll.hash.sha256: + dashed_name: dll-hash-sha256 + description: SHA256 hash. + flat_name: dll.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +dll.hash.sha512: + dashed_name: dll-hash-sha512 + description: SHA512 hash. + flat_name: dll.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +dll.name: + dashed_name: dll-name + description: 'Name of the library. + + This generally maps to the name of the file on disk.' + example: kernel32.dll + flat_name: dll.name + ignore_above: 1024 + level: core + name: name + normalize: [] + short: Name of the library. + type: keyword +dll.path: + dashed_name: dll-path + description: Full file path of the library. + example: C:\Windows\System32\kernel32.dll + flat_name: dll.path + ignore_above: 1024 + level: extended + name: path + normalize: [] + short: Full file path of the library. + type: keyword +dll.pe.architecture: + dashed_name: dll-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: dll.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +dll.pe.company: + dashed_name: dll-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: dll.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +dll.pe.description: + dashed_name: dll-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: dll.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +dll.pe.file_version: + dashed_name: dll-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: dll.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +dll.pe.imphash: + dashed_name: dll-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: dll.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +dll.pe.original_file_name: + dashed_name: dll-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: dll.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard +dll.pe.product: + dashed_name: dll-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: dll.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +dns.answers.class: + dashed_name: dns-answers-class + description: The class of DNS data contained in this resource record. + example: IN + flat_name: dns.answers.class + ignore_above: 1024 + level: extended + name: answers.class + normalize: [] + short: The class of DNS data contained in this resource record. + type: keyword +dns.answers.data: + dashed_name: dns-answers-data + description: 'The data describing the resource. + + The meaning of this data depends on the type and class of the resource record.' + example: 10.10.10.10 + flat_name: dns.answers.data + level: extended + name: answers.data + normalize: [] + short: The data describing the resource. + type: wildcard +dns.answers.name: + dashed_name: dns-answers-name + description: 'The domain name to which this resource record pertains. + + If a chain of CNAME is being resolved, each answer''s `name` should be the one + that corresponds with the answer''s `data`. It should not simply be the original + `question.name` repeated.' + example: www.example.com + flat_name: dns.answers.name + ignore_above: 1024 + level: extended + name: answers.name + normalize: [] + short: The domain name to which this resource record pertains. + type: keyword +dns.answers.ttl: + dashed_name: dns-answers-ttl + description: The time interval in seconds that this resource record may be cached + before it should be discarded. Zero values mean that the data should not be cached. + example: 180 + flat_name: dns.answers.ttl + level: extended + name: answers.ttl + normalize: [] + short: The time interval in seconds that this resource record may be cached before + it should be discarded. + type: long +dns.answers.type: + dashed_name: dns-answers-type + description: The type of data contained in this resource record. + example: CNAME + flat_name: dns.answers.type + ignore_above: 1024 + level: extended + name: answers.type + normalize: [] + short: The type of data contained in this resource record. + type: keyword +dns.header_flags: + dashed_name: dns-header-flags + description: 'Array of 2 letter DNS header flags. + + Expected values are: AA, TC, RD, RA, AD, CD, DO.' + example: '["RD", "RA"]' + flat_name: dns.header_flags + ignore_above: 1024 + level: extended + name: header_flags + normalize: + - array + short: Array of DNS header flags. + type: keyword +dns.id: + dashed_name: dns-id + description: The DNS packet identifier assigned by the program that generated the + query. The identifier is copied to the response. + example: 62111 + flat_name: dns.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + short: The DNS packet identifier assigned by the program that generated the query. + The identifier is copied to the response. + type: keyword +dns.op_code: + dashed_name: dns-op-code + description: The DNS operation code that specifies the kind of query in the message. + This value is set by the originator of a query and copied into the response. + example: QUERY + flat_name: dns.op_code + ignore_above: 1024 + level: extended + name: op_code + normalize: [] + short: The DNS operation code that specifies the kind of query in the message. + type: keyword +dns.question.class: + dashed_name: dns-question-class + description: The class of records being queried. + example: IN + flat_name: dns.question.class + ignore_above: 1024 + level: extended + name: question.class + normalize: [] + short: The class of records being queried. + type: keyword +dns.question.name: + dashed_name: dns-question-name + description: 'The name being queried. + + If the name field contains non-printable characters (below 32 or above 126), those + characters should be represented as escaped base 10 integers (\DDD). Back slashes + and quotes should be escaped. Tabs, carriage returns, and line feeds should be + converted to \t, \r, and \n respectively.' + example: www.example.com + flat_name: dns.question.name + level: extended + name: question.name + normalize: [] + short: The name being queried. + type: wildcard +dns.question.registered_domain: + dashed_name: dns-question-registered-domain + description: 'The highest registered domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: dns.question.registered_domain + ignore_above: 1024 + level: extended + name: question.registered_domain + normalize: [] + short: The highest registered domain, stripped of the subdomain. + type: keyword +dns.question.subdomain: + dashed_name: dns-question-subdomain + description: 'The subdomain is all of the labels under the registered_domain. + + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: www + flat_name: dns.question.subdomain + ignore_above: 1024 + level: extended + name: question.subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword +dns.question.top_level_domain: + dashed_name: dns-question-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: dns.question.top_level_domain + ignore_above: 1024 + level: extended + name: question.top_level_domain + normalize: [] + short: The effective top level domain (com, org, net, co.uk). + type: keyword +dns.question.type: + dashed_name: dns-question-type + description: The type of record being queried. + example: AAAA + flat_name: dns.question.type + ignore_above: 1024 + level: extended + name: question.type + normalize: [] + short: The type of record being queried. + type: keyword +dns.resolved_ip: + dashed_name: dns-resolved-ip + description: 'Array containing all IPs seen in `answers.data`. + + The `answers` array can be difficult to use, because of the variety of data formats + it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` + makes it possible to index them as IP addresses, and makes them easier to visualize + and query for.' + example: '["10.10.10.10", "10.10.10.11"]' + flat_name: dns.resolved_ip + level: extended + name: resolved_ip + normalize: + - array + short: Array containing all IPs seen in answers.data + type: ip +dns.response_code: + dashed_name: dns-response-code + description: The DNS response code. + example: NOERROR + flat_name: dns.response_code + ignore_above: 1024 + level: extended + name: response_code + normalize: [] + short: The DNS response code. + type: keyword +dns.type: + dashed_name: dns-type + description: 'The type of DNS event captured, query or answer. + + If your source of DNS events only gives you DNS queries, you should only create + dns events of type `dns.type:query`. + + If your source of DNS events gives you answers as well, you should create one + event per query (optionally as soon as the query is seen). And a second event + containing all query details as well as an array of answers.' + example: answer + flat_name: dns.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + short: The type of DNS event captured, query or answer. + type: keyword +ecs.version: + dashed_name: ecs-version + description: 'ECS version this event conforms to. `ecs.version` is a required field + and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version of the + events.' + example: 1.0.0 + flat_name: ecs.version + ignore_above: 1024 + level: core + name: version + normalize: [] + required: true + short: ECS version this event conforms to. + type: keyword +error.code: + dashed_name: error-code + description: Error code describing the error. + flat_name: error.code + ignore_above: 1024 + level: core + name: code + normalize: [] + short: Error code describing the error. + type: keyword +error.id: + dashed_name: error-id + description: Unique identifier for the error. + flat_name: error.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique identifier for the error. + type: keyword +error.message: + dashed_name: error-message + description: Error message. + flat_name: error.message + level: core + name: message + normalize: [] + norms: false + short: Error message. + type: text +error.stack_trace: + dashed_name: error-stack-trace + description: The stack trace of this error in plain text. + flat_name: error.stack_trace + index: true + level: extended + multi_fields: + - flat_name: error.stack_trace.text + name: text + norms: false + type: text + name: stack_trace + normalize: [] + short: The stack trace of this error in plain text. + type: wildcard +error.type: + dashed_name: error-type + description: The type of the error, for example the class name of the exception. + example: java.lang.NullPointerException + flat_name: error.type + level: extended + name: type + normalize: [] + short: The type of the error, for example the class name of the exception. + type: wildcard +event.action: + dashed_name: event-action + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is normally + defined by the implementer.' + example: user-password-change + flat_name: event.action + ignore_above: 1024 + level: core + name: action + normalize: [] + short: The action captured by the event. + type: keyword +event.category: + allowed_values: + - description: Events in this category are related to the challenge and response + process in which credentials are supplied and verified to allow the creation + of a session. Common sources for these logs are Windows event logs and ssh logs. + Visualize and analyze events in this category to look for failed logins, and + other authentication-related activity. + expected_event_types: + - start + - end + - info + name: authentication + - description: 'Events in the configuration category have to deal with creating, + modifying, or deleting the settings or parameters of an application, process, + or system. + + Example sources include security policy change logs, configuration auditing + logging, and system integrity monitoring.' + expected_event_types: + - access + - change + - creation + - deletion + - info + name: configuration + - description: The database category denotes events and metrics relating to a data + storage and retrieval system. Note that use of this category is not limited + to relational database systems. Examples include event logs from MS SQL, MySQL, + Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database + activity such as accesses and changes. + expected_event_types: + - access + - change + - info + - error + name: database + - description: 'Events in the driver category have to do with operating system device + drivers and similar software entities such as Windows drivers, kernel extensions, + kernel modules, etc. + + Use events and metrics in this category to visualize and analyze driver-related + activity and status on hosts.' + expected_event_types: + - change + - end + - info + - start + name: driver + - description: Relating to a set of information that has been created on, or has + existed on a filesystem. Use this category of events to visualize and analyze + the creation, access, and deletions of files. Events in this category can come + from both host-based and network-based sources. An example source of a network-based + detection of a file transfer would be the Zeek file.log. + expected_event_types: + - change + - creation + - deletion + - info + name: file + - description: 'Use this category to visualize and analyze information such as host + inventory or host lifecycle events. + + Most of the events in this category can usually be observed from the outside, + such as from a hypervisor or a control plane''s point of view. Some can also + be seen from within, such as "start" or "end". + + Note that this category is for information about hosts themselves; it is not + meant to capture activity "happening on a host".' + expected_event_types: + - access + - change + - end + - info + - start + name: host + - description: Identity and access management (IAM) events relating to users, groups, + and administration. Use this category to visualize and analyze IAM-related logs + and data from active directory, LDAP, Okta, Duo, and other IAM systems. + expected_event_types: + - admin + - change + - creation + - deletion + - group + - info + - user + name: iam + - description: Relating to intrusion detections from IDS/IPS systems and functions, + both network and host-based. Use this category to visualize and analyze intrusion + detection alerts from systems such as Snort, Suricata, and Palo Alto threat + detections. + expected_event_types: + - allowed + - denied + - info + name: intrusion_detection + - description: Malware detection events and alerts. Use this category to visualize + and analyze malware detections from EDR/EPP systems such as Elastic Endpoint + Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems + such as Suricata, or other sources of malware-related events such as Palo Alto + Networks threat logs and Wildfire logs. + expected_event_types: + - info + name: malware + - description: Relating to all network activity, including network connection lifecycle, + network traffic, and essentially any event that includes an IP address. Many + events containing decoded network protocol transactions fit into this category. + Use events in this category to visualize or analyze counts of network ports, + protocols, addresses, geolocation information, etc. + expected_event_types: + - access + - allowed + - connection + - denied + - end + - info + - protocol + - start + name: network + - description: Relating to software packages installed on hosts. Use this category + to visualize and analyze inventory of software installed on various hosts, or + to determine host vulnerability in the absence of vulnerability scan data. + expected_event_types: + - access + - change + - deletion + - info + - installation + - start + name: package + - description: Use this category of events to visualize and analyze process-specific + information such as lifecycle events or process ancestry. + expected_event_types: + - access + - change + - end + - info + - start + name: process + - description: 'Relating to web server access. Use this category to create a dashboard + of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: + events from network observers such as Zeek http log may also be included in + this category.' + expected_event_types: + - access + - error + - info + name: web + dashed_name: event-category + description: 'This is one of four ECS Categorization Fields, and indicates the second + level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process activity. + This field is closely related to `event.type`, which is used as a subcategory. + + This field is an array. This will allow proper categorization of some events that + fall in multiple categories.' + example: authentication + flat_name: event.category + ignore_above: 1024 + level: core + name: category + normalize: + - array + short: Event category. The second categorization field in the hierarchy. + type: keyword +event.code: + dashed_name: event-code + description: 'Identification code for this event, if one exists. + + Some event sources use event codes to identify messages unambiguously, regardless + of message language or wording adjustments over time. An example of this is the + Windows Event ID.' + example: 4648 + flat_name: event.code + ignore_above: 1024 + level: extended + name: code + normalize: [] + short: Identification code for this event. + type: keyword +event.created: + dashed_name: event-created + description: 'event.created contains the date/time when the event was first read + by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain the + time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, and + the time when your agent first processed it. This can be used to monitor your + agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + flat_name: event.created + level: core + name: created + normalize: [] + short: Time when the event was first read by an agent or by your pipeline. + type: date +event.dataset: + dashed_name: event-dataset + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes from. + + It''s recommended but not required to start the dataset name with the module name, + followed by a dot, then the dataset name.' + example: apache.access + flat_name: event.dataset + ignore_above: 1024 + level: core + name: dataset + normalize: [] + short: Name of the dataset. + type: keyword +event.duration: + dashed_name: event-duration + description: 'Duration of the event in nanoseconds. + + If event.start and event.end are known this value should be the difference between + the end and start time.' + flat_name: event.duration + format: duration + input_format: nanoseconds + level: core + name: duration + normalize: [] + output_format: asMilliseconds + output_precision: 1 + short: Duration of the event in nanoseconds. + type: long +event.end: + dashed_name: event-end + description: event.end contains the date when the event ended or when the activity + was last observed. + flat_name: event.end + level: extended + name: end + normalize: [] + short: event.end contains the date when the event ended or when the activity was + last observed. + type: date +event.hash: + dashed_name: event-hash + description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate + log integrity. + example: 123456789012345678901234567890ABCD + flat_name: event.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate + log integrity. + type: keyword +event.id: + dashed_name: event-id + description: Unique ID to describe the event. + example: 8a4f500d + flat_name: event.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique ID to describe the event. + type: keyword +event.ingested: + dashed_name: event-ingested + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s + also different from `event.created`, which is meant to capture the first time + an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically + look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + flat_name: event.ingested + level: core + name: ingested + normalize: [] + short: Timestamp when an event arrived in the central data store. + type: date +event.kind: + allowed_values: + - description: 'This value indicates an event that describes an alert or notable + event, triggered by a detection rule. + + `event.kind:alert` is often populated for events coming from firewalls, intrusion + detection systems, endpoint detection and response systems, and so on.' + name: alert + - description: This value is the most general and most common value for this field. + It is used to represent events that indicate that something happened. + name: event + - description: 'This value is used to indicate that this event describes a numeric + measurement taken at given point in time. + + Examples include CPU utilization, memory usage, or device temperature. + + Metric events are often collected on a predictable frequency, such as once every + few seconds, or once a minute, but can also be used to describe ad-hoc numeric + metric queries.' + name: metric + - description: 'The state value is similar to metric, indicating that this event + describes a measurement taken at given point in time, except that the measurement + does not result in a numeric value, but rather one of a fixed set of categorical + values that represent conditions or states. + + Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), + the state of a TCP connection (open, closed, fin_wait, etc.), the state of a + host with respect to a software vulnerability (vulnerable, not vulnerable), + and the state of a system regarding compliance with a regulatory standard (compliant, + not compliant). + + Note that an event that describes a change of state would not use `event.kind:state`, + but instead would use ''event.kind:event'' since a state change fits the more + general event definition of something that happened. + + State events are often collected on a predictable frequency, such as once every + few seconds, once a minute, once an hour, or once a day, but can also be used + to describe ad-hoc state queries.' + name: state + - description: This value indicates that an error occurred during the ingestion + of this event, and that event data may be missing, inconsistent, or incorrect. + `event.kind:pipeline_error` is often associated with parsing errors. + name: pipeline_error + - description: 'This value is used by the Elastic SIEM app to denote an Elasticsearch + document that was created by a SIEM detection engine rule. + + A signal will typically trigger a notification that something meaningful happened + and should be investigated. + + Usage of this value is reserved, and pipelines should not populate `event.kind` + with the value "signal".' + name: signal + dashed_name: event-kind + description: 'This is one of four ECS Categorization Fields, and indicates the highest + level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the event + contains, without being specific to the contents of the event. For example, values + of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, it + may also help understand whether the data coming in at a regular interval or not.' + example: alert + flat_name: event.kind + ignore_above: 1024 + level: core + name: kind + normalize: [] + short: The kind of the event. The highest categorization field in the hierarchy. + type: keyword +event.module: + dashed_name: event-module + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain the + name of this module.' + example: apache + flat_name: event.module + ignore_above: 1024 + level: core + name: module + normalize: [] + short: Name of the module this data is coming from. + type: keyword +event.original: + dashed_name: event-original + description: 'Raw text message of entire event. Used to demonstrate log integrity. + + This field is not indexed and doc_values are disabled. It cannot be searched, + but it can be retrieved from `_source`.' + doc_values: false + example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| + worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + flat_name: event.original + index: false + level: core + name: original + normalize: [] + short: Raw text message of entire event. + type: wildcard +event.outcome: + allowed_values: + - description: Indicates that this event describes a failed result. A common example + is `event.category:file AND event.type:access AND event.outcome:failure` to + indicate that a file access was attempted, but was not successful. + name: failure + - description: Indicates that this event describes a successful result. A common + example is `event.category:file AND event.type:create AND event.outcome:success` + to indicate that a file was successfully created. + name: success + - description: Indicates that this event describes only an attempt for which the + result is unknown from the perspective of the event producer. For example, if + the event contains information only about the request side of a transaction + that results in a response, populating `event.outcome:unknown` in the request + event is appropriate. The unknown value should not be used when an outcome doesn't + make logical sense for the event. In such cases `event.outcome` should not be + populated. + name: unknown + dashed_name: event-outcome + description: 'This is one of four ECS Categorization Fields, and indicates the lowest + level in the ECS category hierarchy. + + `event.outcome` simply denotes whether the event represents a success or a failure + from the perspective of the entity that produced the event. + + Note that when a single transaction is described in multiple events, each event + may populate different values of `event.outcome`, according to their perspective. + + Also note that in the case of a compound event (a single event that contains multiple + logical events), this field should be populated with the value that best captures + the overall success or failure from the perspective of the event producer. + + Further note that not all events will have an associated outcome. For example, + this field is generally not populated for metric events, events with `event.type:info`, + or any events for which an outcome does not make logical sense.' + example: success + flat_name: event.outcome + ignore_above: 1024 + level: core + name: outcome + normalize: [] + short: The outcome of the event. The lowest level categorization field in the hierarchy. + type: keyword +event.provider: + dashed_name: event-provider + description: 'Source of the event. + + Event transports such as Syslog or the Windows Event Log typically mention the + source of an event. It can be the name of the software that generated the event + (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' + example: kernel + flat_name: event.provider + ignore_above: 1024 + level: extended + name: provider + normalize: [] + short: Source of the event. + type: keyword +event.reason: + dashed_name: event-reason + description: 'Reason why this event happened, according to the source. + + This describes the why of a particular action or outcome captured in the event. + Where `event.action` captures the action from the event, `event.reason` describes + why that action was taken. For example, a web proxy with an `event.action` which + denied the request may also populate `event.reason` with the reason why (e.g. + `blocked site`).' + example: Terminated an unexpected process + flat_name: event.reason + ignore_above: 1024 + level: extended + name: reason + normalize: [] + short: Reason why this event happened, according to the source + type: keyword +event.reference: + dashed_name: event-reference + description: 'Reference URL linking to additional information about this event. + + This URL links to a static definition of the this event. Alert events, indicated + by `event.kind:alert`, are a common use case for this field.' + example: https://system.example.com/event/#0001234 + flat_name: event.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + short: Event reference URL + type: keyword +event.risk_score: + dashed_name: event-risk-score + description: Risk score or priority of the event (e.g. security solutions). Use + your system's original value here. + flat_name: event.risk_score + level: core + name: risk_score + normalize: [] + short: Risk score or priority of the event (e.g. security solutions). Use your system's + original value here. + type: float +event.risk_score_norm: + dashed_name: event-risk-score-norm + description: 'Normalized risk score or priority of the event, on a scale of 0 to + 100. + + This is mainly useful if you use more than one system that assigns risk scores, + and you want to see a normalized value across all systems.' + flat_name: event.risk_score_norm + level: extended + name: risk_score_norm + normalize: [] + short: Normalized risk score or priority of the event (0-100). + type: float +event.sequence: + dashed_name: event-sequence + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the exact + ordering of events unambiguous, regardless of the timestamp precision.' + flat_name: event.sequence + format: string + level: extended + name: sequence + normalize: [] + short: Sequence number of the event. + type: long +event.severity: + dashed_name: event-severity + description: 'The numeric severity of the event according to your event source. + + What the different severity values mean can be different between sources and use + cases. It''s up to the implementer to make sure severities are consistent across + events from the same source. + + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is + meant to represent the severity according to the event source (e.g. firewall, + IDS). If the event source does not publish its own severity, you may optionally + copy the `log.syslog.severity.code` to `event.severity`.' + example: 7 + flat_name: event.severity + format: string + level: core + name: severity + normalize: [] + short: Numeric severity of the event. + type: long +event.start: + dashed_name: event-start + description: event.start contains the date when the event started or when the activity + was first observed. + flat_name: event.start + level: extended + name: start + normalize: [] + short: event.start contains the date when the event started or when the activity + was first observed. + type: date +event.timezone: + dashed_name: event-timezone + description: 'This field should be populated when the event''s timestamp does not + include timezone information already (e.g. default Syslog timestamps). It''s optional + otherwise. + + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated + (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + flat_name: event.timezone + ignore_above: 1024 + level: extended + name: timezone + normalize: [] + short: Event time zone. + type: keyword +event.type: + allowed_values: + - description: The access event type is used for the subset of events within a category + that indicate that something was accessed. Common examples include `event.category:database + AND event.type:access`, or `event.category:file AND event.type:access`. Note + for file access, both directory listings and file opens should be included in + this subcategory. You can further distinguish access operations using the ECS + `event.action` field. + name: access + - description: 'The admin event type is used for the subset of events within a category + that are related to admin objects. For example, administrative changes within + an IAM framework that do not specifically affect a user or group (e.g., adding + new applications to a federation solution or connecting discrete forests in + Active Directory) would fall into this subcategory. Common example: `event.category:iam + AND event.type:change AND event.type:admin`. You can further distinguish admin + operations using the ECS `event.action` field.' + name: admin + - description: The allowed event type is used for the subset of events within a + category that indicate that something was allowed. Common examples include `event.category:network + AND event.type:connection AND event.type:allowed` (to indicate a network firewall + event for which the firewall disposition was to allow the connection to complete) + and `event.category:intrusion_detection AND event.type:allowed` (to indicate + a network intrusion prevention system event for which the IPS disposition was + to allow the connection to complete). You can further distinguish allowed operations + using the ECS `event.action` field, populating with values of your choosing, + such as "allow", "detect", or "pass". + name: allowed + - description: The change event type is used for the subset of events within a category + that indicate that something has changed. If semantics best describe an event + as modified, then include them in this subcategory. Common examples include + `event.category:process AND event.type:change`, and `event.category:file AND + event.type:change`. You can further distinguish change operations using the + ECS `event.action` field. + name: change + - description: Used primarily with `event.category:network` this value is used for + the subset of network traffic that includes sufficient information for the event + to be included in flow or connection analysis. Events in this subcategory will + contain at least source and destination IP addresses, source and destination + TCP/UDP ports, and will usually contain counts of bytes and/or packets transferred. + Events in this subcategory may contain unidirectional or bidirectional information, + including summary information. Use this subcategory to visualize and analyze + network connections. Flow analysis, including Netflow, IPFIX, and other flow-related + events fit in this subcategory. Note that firewall events from many Next-Generation + Firewall (NGFW) devices will also fit into this subcategory. A common filter + for flow/connection information would be `event.category:network AND event.type:connection + AND event.type:end` (to view or analyze all completed network connections, ignoring + mid-flow reports). You can further distinguish connection events using the ECS + `event.action` field, populating with values of your choosing, such as "timeout", + or "reset". + name: connection + - description: The "creation" event type is used for the subset of events within + a category that indicate that something was created. A common example is `event.category:file + AND event.type:creation`. + name: creation + - description: The deletion event type is used for the subset of events within a + category that indicate that something was deleted. A common example is `event.category:file + AND event.type:deletion` to indicate that a file has been deleted. + name: deletion + - description: The denied event type is used for the subset of events within a category + that indicate that something was denied. Common examples include `event.category:network + AND event.type:denied` (to indicate a network firewall event for which the firewall + disposition was to deny the connection) and `event.category:intrusion_detection + AND event.type:denied` (to indicate a network intrusion prevention system event + for which the IPS disposition was to deny the connection to complete). You can + further distinguish denied operations using the ECS `event.action` field, populating + with values of your choosing, such as "blocked", "dropped", or "quarantined". + name: denied + - description: The end event type is used for the subset of events within a category + that indicate something has ended. A common example is `event.category:process + AND event.type:end`. + name: end + - description: The error event type is used for the subset of events within a category + that indicate or describe an error. A common example is `event.category:database + AND event.type:error`. Note that pipeline errors that occur during the event + ingestion process should not use this `event.type` value. Instead, they should + use `event.kind:pipeline_error`. + name: error + - description: 'The group event type is used for the subset of events within a category + that are related to group objects. Common example: `event.category:iam AND event.type:creation + AND event.type:group`. You can further distinguish group operations using the + ECS `event.action` field.' + name: group + - description: The info event type is used for the subset of events within a category + that indicate that they are purely informational, and don't report a state change, + or any type of action. For example, an initial run of a file integrity monitoring + system (FIM), where an agent reports all files under management, would fall + into the "info" subcategory. Similarly, an event containing a dump of all currently + running processes (as opposed to reporting that a process started/ended) would + fall into the "info" subcategory. An additional common examples is `event.category:intrusion_detection + AND event.type:info`. + name: info + - description: The installation event type is used for the subset of events within + a category that indicate that something was installed. A common example is `event.category:package` + AND `event.type:installation`. + name: installation + - description: The protocol event type is used for the subset of events within a + category that indicate that they contain protocol details or analysis, beyond + simply identifying the protocol. Generally, network events that contain specific + protocol details will fall into this subcategory. A common example is `event.category:network + AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate + that the event is a network connection event sent at the end of a connection + that also includes a protocol detail breakdown). Note that events that only + indicate the name or id of the protocol should not use the protocol value. Further + note that when the protocol subcategory is used, the identified protocol is + populated in the ECS `network.protocol` field. + name: protocol + - description: The start event type is used for the subset of events within a category + that indicate something has started. A common example is `event.category:process + AND event.type:start`. + name: start + - description: 'The user event type is used for the subset of events within a category + that are related to user objects. Common example: `event.category:iam AND event.type:deletion + AND event.type:user`. You can further distinguish user operations using the + ECS `event.action` field.' + name: user + dashed_name: event-type + description: 'This is one of four ECS Categorization Fields, and indicates the third + level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along with + the `event.category` field values, enables filtering events down to a level appropriate + for single visualization. + + This field is an array. This will allow proper categorization of some events that + fall in multiple event types.' + flat_name: event.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + short: Event type. The third categorization field in the hierarchy. + type: keyword +event.url: + dashed_name: event-url + description: 'URL linking to an external system to continue investigation of this + event. + + This URL links to another system where in-depth investigation of the specific + occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, + are a common use case for this field.' + example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + flat_name: event.url + ignore_above: 1024 + level: extended + name: url + normalize: [] + short: Event investigation URL + type: keyword +file.accessed: + dashed_name: file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: file.accessed + level: extended + name: accessed + normalize: [] + short: Last time the file was accessed. + type: date +file.attributes: + dashed_name: file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, execute, + hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + short: Array of file attributes. + type: keyword +file.code_signature.exists: + dashed_name: file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +file.code_signature.status: + dashed_name: file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +file.code_signature.subject_name: + dashed_name: file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +file.code_signature.trusted: + dashed_name: file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +file.code_signature.valid: + dashed_name: file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +file.created: + dashed_name: file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: file.created + level: extended + name: created + normalize: [] + short: File creation time. + type: date +file.ctime: + dashed_name: file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: file.ctime + level: extended + name: ctime + normalize: [] + short: Last time the file attributes or metadata changed. + type: date +file.device: + dashed_name: file-device + description: Device that is the source of the file. + example: sda + flat_name: file.device + ignore_above: 1024 + level: extended + name: device + normalize: [] + short: Device that is the source of the file. + type: keyword +file.directory: + dashed_name: file-directory + description: Directory where the file is located. It should include the drive letter, + when appropriate. + example: /home/alice + flat_name: file.directory + level: extended + name: directory + normalize: [] + short: Directory where the file is located. + type: wildcard +file.drive_letter: + dashed_name: file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + short: Drive letter where the file is located. + type: keyword +file.extension: + dashed_name: file-extension + description: File extension. + example: png + flat_name: file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + short: File extension. + type: keyword +file.gid: + dashed_name: file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + short: Primary group ID (GID) of the file. + type: keyword +file.group: + dashed_name: file-group + description: Primary group name of the file. + example: alice + flat_name: file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + short: Primary group name of the file. + type: keyword +file.hash.md5: + dashed_name: file-hash-md5 + description: MD5 hash. + flat_name: file.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +file.hash.sha1: + dashed_name: file-hash-sha1 + description: SHA1 hash. + flat_name: file.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +file.hash.sha256: + dashed_name: file-hash-sha256 + description: SHA256 hash. + flat_name: file.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +file.hash.sha512: + dashed_name: file-hash-sha512 + description: SHA512 hash. + flat_name: file.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +file.inode: + dashed_name: file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + short: Inode representing the file in the filesystem. + type: keyword +file.mime_type: + dashed_name: file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official + types], where possible. When more than one type is applicable, the most specific + type should be used. + flat_name: file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + short: Media type of file, document, or arrangement of bytes. + type: keyword +file.mode: + dashed_name: file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + short: Mode of the file in octal representation. + type: keyword +file.mtime: + dashed_name: file-mtime + description: Last time the file content was modified. + flat_name: file.mtime + level: extended + name: mtime + normalize: [] + short: Last time the file content was modified. + type: date +file.name: + dashed_name: file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Name of the file including the extension, without the directory. + type: keyword +file.owner: + dashed_name: file-owner + description: File owner's username. + example: alice + flat_name: file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + short: File owner's username. + type: keyword +file.path: + dashed_name: file-path + description: Full path to the file, including the file name. It should include the + drive letter, when appropriate. + example: /home/alice/example.png + flat_name: file.path + level: extended + multi_fields: + - flat_name: file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + short: Full path to the file, including the file name. + type: wildcard +file.pe.architecture: + dashed_name: file-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: file.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +file.pe.company: + dashed_name: file-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: file.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +file.pe.description: + dashed_name: file-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: file.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +file.pe.file_version: + dashed_name: file-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: file.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +file.pe.imphash: + dashed_name: file-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: file.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +file.pe.original_file_name: + dashed_name: file-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: file.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard +file.pe.product: + dashed_name: file-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: file.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +file.size: + dashed_name: file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: file.size + level: extended + name: size + normalize: [] + short: File size in bytes. + type: long +file.target_path: + dashed_name: file-target-path + description: Target path for symlinks. + flat_name: file.target_path + level: extended + multi_fields: + - flat_name: file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + short: Target path for symlinks. + type: wildcard +file.type: + dashed_name: file-type + description: File type (file, dir, or symlink). + example: file + flat_name: file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + short: File type (file, dir, or symlink). + type: keyword +file.uid: + dashed_name: file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword +file.x509.alternative_names: + dashed_name: file-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: file.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword +file.x509.issuer.common_name: + dashed_name: file-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: file.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword +file.x509.issuer.country: + dashed_name: file-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: file.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword +file.x509.issuer.distinguished_name: + dashed_name: file-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: file.x509.issuer.distinguished_name + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard +file.x509.issuer.locality: + dashed_name: file-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: file.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +file.x509.issuer.organization: + dashed_name: file-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: file.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword +file.x509.issuer.organizational_unit: + dashed_name: file-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: file.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword +file.x509.issuer.state_or_province: + dashed_name: file-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: file.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +file.x509.not_after: + dashed_name: file-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: file.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date +file.x509.not_before: + dashed_name: file-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: file.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +file.x509.public_key_algorithm: + dashed_name: file-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: file.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +file.x509.public_key_curve: + dashed_name: file-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: file.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +file.x509.public_key_exponent: + dashed_name: file-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: file.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +file.x509.public_key_size: + dashed_name: file-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: file.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +file.x509.serial_number: + dashed_name: file-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: file.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword +file.x509.signature_algorithm: + dashed_name: file-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: file.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. + type: keyword +file.x509.subject.common_name: + dashed_name: file-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: file.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword +file.x509.subject.country: + dashed_name: file-x509-subject-country + description: List of country (C) code + example: US + flat_name: file.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword +file.x509.subject.distinguished_name: + dashed_name: file-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: file.x509.subject.distinguished_name + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: wildcard +file.x509.subject.locality: + dashed_name: file-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: file.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +file.x509.subject.organization: + dashed_name: file-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: file.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword +file.x509.subject.organizational_unit: + dashed_name: file-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: file.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +file.x509.subject.state_or_province: + dashed_name: file-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: file.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +file.x509.version_number: + dashed_name: file-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: file.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword +group.domain: + dashed_name: group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + short: Name of the directory the group is a member of. + type: keyword +group.id: + dashed_name: group-id + description: Unique identifier for the group on the system/platform. + flat_name: group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + short: Unique identifier for the group on the system/platform. + type: keyword +group.name: + dashed_name: group-name + description: Name of the group. + flat_name: group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Name of the group. + type: keyword +host.architecture: + dashed_name: host-architecture + description: Operating system architecture. + example: x86_64 + flat_name: host.architecture + ignore_above: 1024 + level: core + name: architecture + normalize: [] + short: Operating system architecture. + type: keyword +host.domain: + dashed_name: host-domain + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS + domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + flat_name: host.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + short: Name of the directory the group is a member of. + type: keyword +host.geo.city_name: + dashed_name: host-geo-city-name + description: City name. + example: Montreal + flat_name: host.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +host.geo.continent_name: + dashed_name: host-geo-continent-name + description: Name of the continent. + example: North America + flat_name: host.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +host.geo.country_iso_code: + dashed_name: host-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: host.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +host.geo.country_name: + dashed_name: host-geo-country-name + description: Country name. + example: Canada + flat_name: host.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +host.geo.location: + dashed_name: host-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: host.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +host.geo.name: + dashed_name: host-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: host.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard +host.geo.region_iso_code: + dashed_name: host-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: host.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +host.geo.region_name: + dashed_name: host-geo-region-name + description: Region name. + example: Quebec + flat_name: host.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +host.hostname: + dashed_name: host-hostname + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + flat_name: host.hostname + level: core + name: hostname + normalize: [] + short: Hostname of the host. + type: wildcard +host.id: + dashed_name: host-id + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + flat_name: host.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique host id. + type: keyword +host.ip: + dashed_name: host-ip + description: Host ip addresses. + flat_name: host.ip + level: core + name: ip + normalize: + - array + short: Host ip addresses. + type: ip +host.mac: + dashed_name: host-mac + description: Host mac addresses. + flat_name: host.mac + ignore_above: 1024 + level: core + name: mac + normalize: + - array + short: Host mac addresses. + type: keyword +host.name: + dashed_name: host-name + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain + name, or a name specified by the user. The sender decides which value to use.' + flat_name: host.name + ignore_above: 1024 + level: core + name: name + normalize: [] + short: Name of the host. + type: keyword +host.os.family: + dashed_name: host-os-family + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + flat_name: host.os.family + ignore_above: 1024 + level: extended + name: family + normalize: [] + original_fieldset: os + short: OS family (such as redhat, debian, freebsd, windows). + type: keyword +host.os.full: + dashed_name: host-os-full + description: Operating system name, including the version or code name. + example: Mac OS Mojave + flat_name: host.os.full + level: extended + multi_fields: + - flat_name: host.os.full.text + name: text + norms: false + type: text + name: full + normalize: [] + original_fieldset: os + short: Operating system name, including the version or code name. + type: wildcard +host.os.kernel: + dashed_name: host-os-kernel + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + flat_name: host.os.kernel + ignore_above: 1024 + level: extended + name: kernel + normalize: [] + original_fieldset: os + short: Operating system kernel version as a raw string. + type: keyword +host.os.name: + dashed_name: host-os-name + description: Operating system name, without the version. + example: Mac OS X + flat_name: host.os.name + level: extended + multi_fields: + - flat_name: host.os.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: os + short: Operating system name, without the version. + type: wildcard +host.os.platform: + dashed_name: host-os-platform + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + flat_name: host.os.platform + ignore_above: 1024 + level: extended + name: platform + normalize: [] + original_fieldset: os + short: Operating system platform (such centos, ubuntu, windows). + type: keyword +host.os.version: + dashed_name: host-os-version + description: Operating system version as a raw string. + example: 10.14.1 + flat_name: host.os.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + original_fieldset: os + short: Operating system version as a raw string. + type: keyword +host.type: + dashed_name: host-type + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this + could be the container, for example, or other information meaningful in your environment.' + flat_name: host.type + ignore_above: 1024 + level: core + name: type + normalize: [] + short: Type of host. + type: keyword +host.uptime: + dashed_name: host-uptime + description: Seconds the host has been up. + example: 1325 + flat_name: host.uptime + level: extended + name: uptime + normalize: [] + short: Seconds the host has been up. + type: long +host.user.domain: + dashed_name: host-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: host.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +host.user.email: + dashed_name: host-user-email + description: User email address. + flat_name: host.user.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard +host.user.full_name: + dashed_name: host-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: host.user.full_name + level: extended + multi_fields: + - flat_name: host.user.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard +host.user.group.domain: + dashed_name: host-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: host.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +host.user.group.id: + dashed_name: host-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: host.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +host.user.group.name: + dashed_name: host-user-group-name + description: Name of the group. + flat_name: host.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +host.user.hash: + dashed_name: host-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: host.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +host.user.id: + dashed_name: host-user-id + description: Unique identifier of the user. + flat_name: host.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +host.user.name: + dashed_name: host-user-name + description: Short name or login of the user. + example: albert + flat_name: host.user.name + level: core + multi_fields: + - flat_name: host.user.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard +host.user.roles: + dashed_name: host-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: host.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword +http.request.body.bytes: + dashed_name: http-request-body-bytes + description: Size in bytes of the request body. + example: 887 + flat_name: http.request.body.bytes + format: bytes + level: extended + name: request.body.bytes + normalize: [] + short: Size in bytes of the request body. + type: long +http.request.body.content: + dashed_name: http-request-body-content + description: The full HTTP request body. + example: Hello world + flat_name: http.request.body.content + level: extended + multi_fields: + - flat_name: http.request.body.content.text + name: text + norms: false + type: text + name: request.body.content + normalize: [] + short: The full HTTP request body. + type: wildcard +http.request.bytes: + dashed_name: http-request-bytes + description: Total size in bytes of the request (body and headers). + example: 1437 + flat_name: http.request.bytes + format: bytes + level: extended + name: request.bytes + normalize: [] + short: Total size in bytes of the request (body and headers). + type: long +http.request.method: + dashed_name: http-request-method + description: 'HTTP request method. + + Prior to ECS 1.6.0 the following guidance was provided: + + "The field value must be normalized to lowercase for querying." + + As of ECS 1.6.0, the guidance is deprecated because the original case of the method + may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0' + example: GET, POST, PUT, PoST + flat_name: http.request.method + ignore_above: 1024 + level: extended + name: request.method + normalize: [] + short: HTTP request method. + type: keyword +http.request.mime_type: + dashed_name: http-request-mime-type + description: 'Mime type of the body of the request. + + This value must only be populated based on the content of the request body, not + on the `Content-Type` header. Comparing the mime type of a request with the request''s + Content-Type header can be helpful in detecting threats or misconfigured clients.' + example: image/gif + flat_name: http.request.mime_type + ignore_above: 1024 + level: extended + name: request.mime_type + normalize: [] + short: Mime type of the body of the request. + type: keyword +http.request.referrer: + dashed_name: http-request-referrer + description: Referrer for this HTTP request. + example: https://blog.example.com/ + flat_name: http.request.referrer + level: extended + name: request.referrer + normalize: [] + short: Referrer for this HTTP request. + type: wildcard +http.response.body.bytes: + dashed_name: http-response-body-bytes + description: Size in bytes of the response body. + example: 887 + flat_name: http.response.body.bytes + format: bytes + level: extended + name: response.body.bytes + normalize: [] + short: Size in bytes of the response body. + type: long +http.response.body.content: + dashed_name: http-response-body-content + description: The full HTTP response body. + example: Hello world + flat_name: http.response.body.content + level: extended + multi_fields: + - flat_name: http.response.body.content.text + name: text + norms: false + type: text + name: response.body.content + normalize: [] + short: The full HTTP response body. + type: wildcard +http.response.bytes: + dashed_name: http-response-bytes + description: Total size in bytes of the response (body and headers). + example: 1437 + flat_name: http.response.bytes + format: bytes + level: extended + name: response.bytes + normalize: [] + short: Total size in bytes of the response (body and headers). + type: long +http.response.mime_type: + dashed_name: http-response-mime-type + description: 'Mime type of the body of the response. + + This value must only be populated based on the content of the response body, not + on the `Content-Type` header. Comparing the mime type of a response with the response''s + Content-Type header can be helpful in detecting misconfigured servers.' + example: image/gif + flat_name: http.response.mime_type + ignore_above: 1024 + level: extended + name: response.mime_type + normalize: [] + short: Mime type of the body of the response. + type: keyword +http.response.status_code: + dashed_name: http-response-status-code + description: HTTP response status code. + example: 404 + flat_name: http.response.status_code + format: string + level: extended + name: response.status_code + normalize: [] + short: HTTP response status code. + type: long +http.version: + dashed_name: http-version + description: HTTP version. + example: 1.1 + flat_name: http.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + short: HTTP version. + type: keyword +labels: + dashed_name: labels + description: 'Custom key/value pairs. + + Can be used to add meta information to events. Should not contain nested objects. + All values are stored as keyword. + + Example: `docker` and `k8s` labels.' + example: '{"application": "foo-bar", "env": "production"}' + flat_name: labels + level: core + name: labels + normalize: [] + object_type: keyword + short: Custom key/value pairs. + type: object +log.file.path: + dashed_name: log-file-path + description: 'Full path to the log file this event came from, including the file + name. It should include the drive letter, when appropriate. + + If the event wasn''t read from a log file, do not populate this field.' + example: /var/log/fun-times.log + flat_name: log.file.path + level: extended + name: file.path + normalize: [] + short: Full path to the log file this event came from. + type: wildcard +log.level: + dashed_name: log-level + description: 'Original log level of the log event. + + If the source of the event provides a log level or textual severity, this is the + one that goes in `log.level`. If your source doesn''t specify one, you may put + your event transport''s severity here (e.g. Syslog severity). + + Some examples are `warn`, `err`, `i`, `informational`.' + example: error + flat_name: log.level + ignore_above: 1024 + level: core + name: level + normalize: [] + short: Log level of the log event. + type: keyword +log.logger: + dashed_name: log-logger + description: The name of the logger inside an application. This is usually the name + of the class which initialized the logger, or can be a custom name. + example: org.elasticsearch.bootstrap.Bootstrap + flat_name: log.logger + level: core + name: logger + normalize: [] + short: Name of the logger. + type: wildcard +log.origin.file.line: + dashed_name: log-origin-file-line + description: The line number of the file containing the source code which originated + the log event. + example: 42 + flat_name: log.origin.file.line + level: extended + name: origin.file.line + normalize: [] + short: The line number of the file which originated the log event. + type: integer +log.origin.file.name: + dashed_name: log-origin-file-name + description: 'The name of the file containing the source code which originated the + log event. + + Note that this field is not meant to capture the log file. The correct field to + capture the log file is `log.file.path`.' + example: Bootstrap.java + flat_name: log.origin.file.name + ignore_above: 1024 + level: extended + name: origin.file.name + normalize: [] + short: The code file which originated the log event. + type: keyword +log.origin.function: + dashed_name: log-origin-function + description: The name of the function or method which originated the log event. + example: init + flat_name: log.origin.function + ignore_above: 1024 + level: extended + name: origin.function + normalize: [] + short: The function which originated the log event. + type: keyword +log.original: + dashed_name: log-original + description: 'This is the original log message and contains the full log message + before splitting it up in multiple parts. + + In contrast to the `message` field which can contain an extracted part of the + log message, this field contains the original, full log message. It can have already + some modifications applied like encoding or new lines removed to clean up the + log message. + + This field is not indexed and doc_values are disabled so it can''t be queried + but the value can be retrieved from `_source`.' + doc_values: false + example: Sep 19 08:26:10 localhost My log + flat_name: log.original + ignore_above: 1024 + index: false + level: core + name: original + normalize: [] + short: Original log message with light interpretation only (encoding, newlines). + type: keyword +log.syslog: + dashed_name: log-syslog + description: The Syslog metadata of the event, if the event was transmitted via + Syslog. Please see RFCs 5424 or 3164. + flat_name: log.syslog + level: extended + name: syslog + normalize: [] + short: Syslog metadata + type: object +log.syslog.facility.code: + dashed_name: log-syslog-facility-code + description: 'The Syslog numeric facility of the log event, if available. + + According to RFCs 5424 and 3164, this value should be an integer between 0 and + 23.' + example: 23 + flat_name: log.syslog.facility.code + format: string + level: extended + name: syslog.facility.code + normalize: [] + short: Syslog numeric facility of the event. + type: long +log.syslog.facility.name: + dashed_name: log-syslog-facility-name + description: The Syslog text-based facility of the log event, if available. + example: local7 + flat_name: log.syslog.facility.name + ignore_above: 1024 + level: extended + name: syslog.facility.name + normalize: [] + short: Syslog text-based facility of the event. + type: keyword +log.syslog.priority: + dashed_name: log-syslog-priority + description: 'Syslog numeric priority of the event, if available. + + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This + number is therefore expected to contain a value between 0 and 191.' + example: 135 + flat_name: log.syslog.priority + format: string + level: extended + name: syslog.priority + normalize: [] + short: Syslog priority of the event. + type: long +log.syslog.severity.code: + dashed_name: log-syslog-severity-code + description: 'The Syslog numeric severity of the log event, if available. + + If the event source publishing via Syslog provides a different numeric severity + value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`. + If the event source does not specify a distinct severity, you can optionally copy + the Syslog severity to `event.severity`.' + example: 3 + flat_name: log.syslog.severity.code + level: extended + name: syslog.severity.code + normalize: [] + short: Syslog numeric severity of the event. + type: long +log.syslog.severity.name: + dashed_name: log-syslog-severity-name + description: 'The Syslog numeric severity of the log event, if available. + + If the event source publishing via Syslog provides a different severity value + (e.g. firewall, IDS), your source''s text severity should go to `log.level`. If + the event source does not specify a distinct severity, you can optionally copy + the Syslog severity to `log.level`.' + example: Error + flat_name: log.syslog.severity.name + ignore_above: 1024 + level: extended + name: syslog.severity.name + normalize: [] + short: Syslog text-based severity of the event. + type: keyword +message: + dashed_name: message + description: 'For log events the message field contains the log message, optimized + for viewing in a log viewer. + + For structured logs without an original message field, other fields can be concatenated + to form a human-readable summary of the event. + + If multiple messages exist, they can be combined into one message.' + example: Hello World + flat_name: message + level: core + name: message + normalize: [] + norms: false + short: Log message optimized for viewing in a log viewer. + type: text +network.application: + dashed_name: network-application + description: 'A name given to an application level protocol. This can be arbitrarily + assigned for things like microservices, but also apply to things like skype, icq, + facebook, twitter. This would be used in situations where the vendor or service + can be decoded such as from the source/dest IP owners, ports, or wire format. + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: aim + flat_name: network.application + ignore_above: 1024 + level: extended + name: application + normalize: [] + short: Application level protocol name. + type: keyword +network.bytes: + dashed_name: network-bytes + description: 'Total bytes transferred in both directions. + + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their + sum.' + example: 368 + flat_name: network.bytes + format: bytes + level: core + name: bytes + normalize: [] + short: Total bytes transferred in both directions. + type: long +network.community_id: + dashed_name: network-community-id + description: 'A hash of source and destination IPs and ports, as well as the protocol + used in a communication. This is a tool-agnostic standard to identify flows. + + Learn more at https://github.com/corelight/community-id-spec.' + example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + flat_name: network.community_id + ignore_above: 1024 + level: extended + name: community_id + normalize: [] + short: A hash of source and destination IPs and ports. + type: keyword +network.direction: + dashed_name: network-direction + description: "Direction of the network traffic.\nRecommended values are:\n * ingress\n\ + \ * egress\n * inbound\n * outbound\n * internal\n * external\n * unknown\n\ + \nWhen mapping events from a host-based monitoring context, populate this field\ + \ from the host's point of view, using the values \"ingress\" or \"egress\".\n\ + When mapping events from a network or perimeter-based monitoring context, populate\ + \ this field from the point of view of the network perimeter, using the values\ + \ \"inbound\", \"outbound\", \"internal\" or \"external\".\nNote that \"internal\"\ + \ is not crossing perimeter boundaries, and is meant to describe communication\ + \ between two hosts within the perimeter. Note also that \"external\" is meant\ + \ to describe traffic between two hosts that are external to the perimeter. This\ + \ could for example be useful for ISPs or VPN service providers." + example: inbound + flat_name: network.direction + ignore_above: 1024 + level: core + name: direction + normalize: [] + short: Direction of the network traffic. + type: keyword +network.forwarded_ip: + dashed_name: network-forwarded-ip + description: Host IP address when the source IP address is the proxy. + example: 192.1.1.2 + flat_name: network.forwarded_ip + level: core + name: forwarded_ip + normalize: [] + short: Host IP address when the source IP address is the proxy. + type: ip +network.iana_number: + dashed_name: network-iana-number + description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). + Standardized list of protocols. This aligns well with NetFlow and sFlow related + logs which use the IANA Protocol Number. + example: 6 + flat_name: network.iana_number + ignore_above: 1024 + level: extended + name: iana_number + normalize: [] + short: IANA Protocol Number. + type: keyword +network.inner: + dashed_name: network-inner + description: Network.inner fields are added in addition to network.vlan fields to + describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields + include vlan.id and vlan.name. Inner vlan fields are typically used when sending + traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + flat_name: network.inner + level: extended + name: inner + normalize: [] + short: Inner VLAN tag information + type: object +network.inner.vlan.id: + dashed_name: network-inner-vlan-id + description: VLAN ID as reported by the observer. + example: 10 + flat_name: network.inner.vlan.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: vlan + short: VLAN ID as reported by the observer. + type: keyword +network.inner.vlan.name: + dashed_name: network-inner-vlan-name + description: Optional VLAN name as reported by the observer. + example: outside + flat_name: network.inner.vlan.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: vlan + short: Optional VLAN name as reported by the observer. + type: keyword +network.name: + dashed_name: network-name + description: Name given by operators to sections of their network. + example: Guest Wifi + flat_name: network.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Name given by operators to sections of their network. + type: keyword +network.packets: + dashed_name: network-packets + description: 'Total packets transferred in both directions. + + If `source.packets` and `destination.packets` are known, `network.packets` is + their sum.' + example: 24 + flat_name: network.packets + level: core + name: packets + normalize: [] + short: Total packets transferred in both directions. + type: long +network.protocol: + dashed_name: network-protocol + description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol. + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: http + flat_name: network.protocol + ignore_above: 1024 + level: core + name: protocol + normalize: [] + short: L7 Network protocol name. + type: keyword +network.transport: + dashed_name: network-transport + description: 'Same as network.iana_number, but instead using the Keyword name of + the transport layer (udp, tcp, ipv6-icmp, etc.) + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: tcp + flat_name: network.transport + ignore_above: 1024 + level: core + name: transport + normalize: [] + short: Protocol Name corresponding to the field `iana_number`. + type: keyword +network.type: + dashed_name: network-type + description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, + pim, etc + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: ipv4 + flat_name: network.type + ignore_above: 1024 + level: core + name: type + normalize: [] + short: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, + etc + type: keyword +network.vlan.id: + dashed_name: network-vlan-id + description: VLAN ID as reported by the observer. + example: 10 + flat_name: network.vlan.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: vlan + short: VLAN ID as reported by the observer. + type: keyword +network.vlan.name: + dashed_name: network-vlan-name + description: Optional VLAN name as reported by the observer. + example: outside + flat_name: network.vlan.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: vlan + short: Optional VLAN name as reported by the observer. + type: keyword +observer.egress: + dashed_name: observer-egress + description: Observer.egress holds information like interface number and name, vlan, + and zone information to classify egress traffic. Single armed monitoring such + as a network sensor on a span port should only use observer.ingress to categorize + traffic. + flat_name: observer.egress + level: extended + name: egress + normalize: [] + short: Object field for egress information + type: object +observer.egress.interface.alias: + dashed_name: observer-egress-interface-alias + description: Interface alias as reported by the system, typically used in firewall + implementations for e.g. inside, outside, or dmz logical interface naming. + example: outside + flat_name: observer.egress.interface.alias + ignore_above: 1024 + level: extended + name: alias + normalize: [] + original_fieldset: interface + short: Interface alias + type: keyword +observer.egress.interface.id: + dashed_name: observer-egress-interface-id + description: Interface ID as reported by an observer (typically SNMP interface ID). + example: 10 + flat_name: observer.egress.interface.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: interface + short: Interface ID + type: keyword +observer.egress.interface.name: + dashed_name: observer-egress-interface-name + description: Interface name as reported by the system. + example: eth0 + flat_name: observer.egress.interface.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: interface + short: Interface name + type: keyword +observer.egress.vlan.id: + dashed_name: observer-egress-vlan-id + description: VLAN ID as reported by the observer. + example: 10 + flat_name: observer.egress.vlan.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: vlan + short: VLAN ID as reported by the observer. + type: keyword +observer.egress.vlan.name: + dashed_name: observer-egress-vlan-name + description: Optional VLAN name as reported by the observer. + example: outside + flat_name: observer.egress.vlan.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: vlan + short: Optional VLAN name as reported by the observer. + type: keyword +observer.egress.zone: + dashed_name: observer-egress-zone + description: Network zone of outbound traffic as reported by the observer to categorize + the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, + etc. + example: Public_Internet + flat_name: observer.egress.zone + ignore_above: 1024 + level: extended + name: egress.zone + normalize: [] + short: Observer Egress zone + type: keyword +observer.geo.city_name: + dashed_name: observer-geo-city-name + description: City name. + example: Montreal + flat_name: observer.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +observer.geo.continent_name: + dashed_name: observer-geo-continent-name + description: Name of the continent. + example: North America + flat_name: observer.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +observer.geo.country_iso_code: + dashed_name: observer-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: observer.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +observer.geo.country_name: + dashed_name: observer-geo-country-name + description: Country name. + example: Canada + flat_name: observer.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +observer.geo.location: + dashed_name: observer-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: observer.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +observer.geo.name: + dashed_name: observer-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: observer.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard +observer.geo.region_iso_code: + dashed_name: observer-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: observer.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +observer.geo.region_name: + dashed_name: observer-geo-region-name + description: Region name. + example: Quebec + flat_name: observer.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +observer.hostname: + dashed_name: observer-hostname + description: Hostname of the observer. + flat_name: observer.hostname + ignore_above: 1024 + level: core + name: hostname + normalize: [] + short: Hostname of the observer. + type: keyword +observer.ingress: + dashed_name: observer-ingress + description: Observer.ingress holds information like interface number and name, + vlan, and zone information to classify ingress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress to categorize + traffic. + flat_name: observer.ingress + level: extended + name: ingress + normalize: [] + short: Object field for ingress information + type: object +observer.ingress.interface.alias: + dashed_name: observer-ingress-interface-alias + description: Interface alias as reported by the system, typically used in firewall + implementations for e.g. inside, outside, or dmz logical interface naming. + example: outside + flat_name: observer.ingress.interface.alias + ignore_above: 1024 + level: extended + name: alias + normalize: [] + original_fieldset: interface + short: Interface alias + type: keyword +observer.ingress.interface.id: + dashed_name: observer-ingress-interface-id + description: Interface ID as reported by an observer (typically SNMP interface ID). + example: 10 + flat_name: observer.ingress.interface.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: interface + short: Interface ID + type: keyword +observer.ingress.interface.name: + dashed_name: observer-ingress-interface-name + description: Interface name as reported by the system. + example: eth0 + flat_name: observer.ingress.interface.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: interface + short: Interface name + type: keyword +observer.ingress.vlan.id: + dashed_name: observer-ingress-vlan-id + description: VLAN ID as reported by the observer. + example: 10 + flat_name: observer.ingress.vlan.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: vlan + short: VLAN ID as reported by the observer. + type: keyword +observer.ingress.vlan.name: + dashed_name: observer-ingress-vlan-name + description: Optional VLAN name as reported by the observer. + example: outside + flat_name: observer.ingress.vlan.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: vlan + short: Optional VLAN name as reported by the observer. + type: keyword +observer.ingress.zone: + dashed_name: observer-ingress-zone + description: Network zone of incoming traffic as reported by the observer to categorize + the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, + etc. + example: DMZ + flat_name: observer.ingress.zone + ignore_above: 1024 + level: extended + name: ingress.zone + normalize: [] + short: Observer ingress zone + type: keyword +observer.ip: + dashed_name: observer-ip + description: IP addresses of the observer. + flat_name: observer.ip + level: core + name: ip + normalize: + - array + short: IP addresses of the observer. + type: ip +observer.mac: + dashed_name: observer-mac + description: MAC addresses of the observer + flat_name: observer.mac + ignore_above: 1024 + level: core + name: mac + normalize: + - array + short: MAC addresses of the observer + type: keyword +observer.name: + dashed_name: observer-name + description: 'Custom name of the observer. + + This is a name that can be given to an observer. This can be helpful for example + if multiple firewalls of the same model are used in an organization. + + If no custom name is needed, the field can be left empty.' + example: 1_proxySG + flat_name: observer.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Custom name of the observer. + type: keyword +observer.os.family: + dashed_name: observer-os-family + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + flat_name: observer.os.family + ignore_above: 1024 + level: extended + name: family + normalize: [] + original_fieldset: os + short: OS family (such as redhat, debian, freebsd, windows). + type: keyword +observer.os.full: + dashed_name: observer-os-full + description: Operating system name, including the version or code name. + example: Mac OS Mojave + flat_name: observer.os.full + level: extended + multi_fields: + - flat_name: observer.os.full.text + name: text + norms: false + type: text + name: full + normalize: [] + original_fieldset: os + short: Operating system name, including the version or code name. + type: wildcard +observer.os.kernel: + dashed_name: observer-os-kernel + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + flat_name: observer.os.kernel + ignore_above: 1024 + level: extended + name: kernel + normalize: [] + original_fieldset: os + short: Operating system kernel version as a raw string. + type: keyword +observer.os.name: + dashed_name: observer-os-name + description: Operating system name, without the version. + example: Mac OS X + flat_name: observer.os.name + level: extended + multi_fields: + - flat_name: observer.os.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: os + short: Operating system name, without the version. + type: wildcard +observer.os.platform: + dashed_name: observer-os-platform + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + flat_name: observer.os.platform + ignore_above: 1024 + level: extended + name: platform + normalize: [] + original_fieldset: os + short: Operating system platform (such centos, ubuntu, windows). + type: keyword +observer.os.version: + dashed_name: observer-os-version + description: Operating system version as a raw string. + example: 10.14.1 + flat_name: observer.os.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + original_fieldset: os + short: Operating system version as a raw string. + type: keyword +observer.product: + dashed_name: observer-product + description: The product name of the observer. + example: s200 + flat_name: observer.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + short: The product name of the observer. + type: keyword +observer.serial_number: + dashed_name: observer-serial-number + description: Observer serial number. + flat_name: observer.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + short: Observer serial number. + type: keyword +observer.type: + dashed_name: observer-type + description: 'The type of the observer the data is coming from. + + There is no predefined list of observer types. Some examples are `forwarder`, + `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.' + example: firewall + flat_name: observer.type + ignore_above: 1024 + level: core + name: type + normalize: [] + short: The type of the observer the data is coming from. + type: keyword +observer.vendor: + dashed_name: observer-vendor + description: Vendor name of the observer. + example: Symantec + flat_name: observer.vendor + ignore_above: 1024 + level: core + name: vendor + normalize: [] + short: Vendor name of the observer. + type: keyword +observer.version: + dashed_name: observer-version + description: Observer version. + flat_name: observer.version + ignore_above: 1024 + level: core + name: version + normalize: [] + short: Observer version. + type: keyword +organization.id: + dashed_name: organization-id + description: Unique identifier for the organization. + flat_name: organization.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + short: Unique identifier for the organization. + type: keyword +organization.name: + dashed_name: organization-name + description: Organization name. + flat_name: organization.name + level: extended + multi_fields: + - flat_name: organization.name.text + name: text + norms: false + type: text + name: name + normalize: [] + short: Organization name. + type: wildcard +package.architecture: + dashed_name: package-architecture + description: Package architecture. + example: x86_64 + flat_name: package.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + short: Package architecture. + type: keyword +package.build_version: + dashed_name: package-build-version + description: 'Additional information about the build version of the installed package. + + For example use the commit SHA of a non-released package.' + example: 36f4f7e89dd61b0988b12ee000b98966867710cd + flat_name: package.build_version + ignore_above: 1024 + level: extended + name: build_version + normalize: [] + short: Build version information + type: keyword +package.checksum: + dashed_name: package-checksum + description: Checksum of the installed package for verification. + example: 68b329da9893e34099c7d8ad5cb9c940 + flat_name: package.checksum + ignore_above: 1024 + level: extended + name: checksum + normalize: [] + short: Checksum of the installed package for verification. + type: keyword +package.description: + dashed_name: package-description + description: Description of the package. + example: Open source programming language to build simple/reliable/efficient software. + flat_name: package.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + short: Description of the package. + type: keyword +package.install_scope: + dashed_name: package-install-scope + description: Indicating how the package was installed, e.g. user-local, global. + example: global + flat_name: package.install_scope + ignore_above: 1024 + level: extended + name: install_scope + normalize: [] + short: Indicating how the package was installed, e.g. user-local, global. + type: keyword +package.installed: + dashed_name: package-installed + description: Time when package was installed. + flat_name: package.installed + level: extended + name: installed + normalize: [] + short: Time when package was installed. + type: date +package.license: + dashed_name: package-license + description: 'License under which the package was released. + + Use a short name, e.g. the license identifier from SPDX License List where possible + (https://spdx.org/licenses/).' + example: Apache License 2.0 + flat_name: package.license + ignore_above: 1024 + level: extended + name: license + normalize: [] + short: Package license + type: keyword +package.name: + dashed_name: package-name + description: Package name + example: go + flat_name: package.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Package name + type: keyword +package.path: + dashed_name: package-path + description: Path where the package is installed. + example: /usr/local/Cellar/go/1.12.9/ + flat_name: package.path + ignore_above: 1024 + level: extended + name: path + normalize: [] + short: Path where the package is installed. + type: keyword +package.reference: + dashed_name: package-reference + description: Home page or reference URL of the software in this package, if available. + example: https://golang.org + flat_name: package.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + short: Package home page or reference URL + type: keyword +package.size: + dashed_name: package-size + description: Package size in bytes. + example: 62231 + flat_name: package.size + format: string + level: extended + name: size + normalize: [] + short: Package size in bytes. + type: long +package.type: + dashed_name: package-type + description: 'Type of package. + + This should contain the package file type, rather than the package manager name. + Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.' + example: rpm + flat_name: package.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + short: Package type + type: keyword +package.version: + dashed_name: package-version + description: Package version + example: 1.12.9 + flat_name: package.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + short: Package version + type: keyword +process.args: + dashed_name: process-args + description: 'Array of process arguments, starting with the absolute path to the + executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + short: Array of process arguments. + type: keyword +process.args_count: + dashed_name: process-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how many + arguments were provided to start a process. More arguments may be an indication + of suspicious activity.' + example: 4 + flat_name: process.args_count + level: extended + name: args_count + normalize: [] + short: Length of the process.args array. + type: long +process.code_signature.exists: + dashed_name: process-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +process.code_signature.status: + dashed_name: process-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +process.code_signature.subject_name: + dashed_name: process-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.code_signature.trusted: + dashed_name: process-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.code_signature.valid: + dashed_name: process-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +process.command_line: + dashed_name: process-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.command_line + level: extended + multi_fields: + - flat_name: process.command_line.text + name: text + norms: false + type: text + name: command_line + normalize: [] + short: Full command line that started the process. + type: wildcard +process.entity_id: + dashed_name: process-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + short: Unique identifier for the process. + type: keyword +process.executable: + dashed_name: process-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.executable + level: extended + multi_fields: + - flat_name: process.executable.text + name: text + norms: false + type: text + name: executable + normalize: [] + short: Absolute path to the process executable. + type: wildcard +process.exit_code: + dashed_name: process-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.exit_code + level: extended + name: exit_code + normalize: [] + short: The exit code of the process. + type: long +process.hash.md5: + dashed_name: process-hash-md5 + description: MD5 hash. + flat_name: process.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +process.hash.sha1: + dashed_name: process-hash-sha1 + description: SHA1 hash. + flat_name: process.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.hash.sha256: + dashed_name: process-hash-sha256 + description: SHA256 hash. + flat_name: process.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.hash.sha512: + dashed_name: process-hash-sha512 + description: SHA512 hash. + flat_name: process.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +process.name: + dashed_name: process-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.name + level: extended + multi_fields: + - flat_name: process.name.text + name: text + norms: false + type: text + name: name + normalize: [] + short: Process name. + type: wildcard +process.parent.args: + dashed_name: process-parent-args + description: 'Array of process arguments, starting with the absolute path to the + executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.parent.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword +process.parent.args_count: + dashed_name: process-parent-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how many + arguments were provided to start a process. More arguments may be an indication + of suspicious activity.' + example: 4 + flat_name: process.parent.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long +process.parent.code_signature.exists: + dashed_name: process-parent-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.parent.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +process.parent.code_signature.status: + dashed_name: process-parent-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.parent.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +process.parent.code_signature.subject_name: + dashed_name: process-parent-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.parent.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.parent.code_signature.trusted: + dashed_name: process-parent-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.parent.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.parent.code_signature.valid: + dashed_name: process-parent-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.parent.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +process.parent.command_line: + dashed_name: process-parent-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.parent.command_line + level: extended + multi_fields: + - flat_name: process.parent.command_line.text + name: text + norms: false + type: text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard +process.parent.entity_id: + dashed_name: process-parent-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate PID + reuse as well as to identify a specific process over time, across multiple monitored + hosts.' + example: c2c455d9f99375d + flat_name: process.parent.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword +process.parent.executable: + dashed_name: process-parent-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.parent.executable + level: extended + multi_fields: + - flat_name: process.parent.executable.text + name: text + norms: false + type: text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: wildcard +process.parent.exit_code: + dashed_name: process-parent-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.parent.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long +process.parent.hash.md5: + dashed_name: process-parent-hash-md5 + description: MD5 hash. + flat_name: process.parent.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +process.parent.hash.sha1: + dashed_name: process-parent-hash-sha1 + description: SHA1 hash. + flat_name: process.parent.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +process.parent.hash.sha256: + dashed_name: process-parent-hash-sha256 + description: SHA256 hash. + flat_name: process.parent.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +process.parent.hash.sha512: + dashed_name: process-parent-hash-sha512 + description: SHA512 hash. + flat_name: process.parent.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +process.parent.name: + dashed_name: process-parent-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.parent.name + level: extended + multi_fields: + - flat_name: process.parent.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: wildcard +process.parent.pe.architecture: + dashed_name: process-parent-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.parent.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +process.parent.pe.company: + dashed_name: process-parent-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.parent.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +process.parent.pe.description: + dashed_name: process-parent-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.parent.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +process.parent.pe.file_version: + dashed_name: process-parent-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.parent.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +process.parent.pe.imphash: + dashed_name: process-parent-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.parent.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.parent.pe.original_file_name: + dashed_name: process-parent-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.parent.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard +process.parent.pe.product: + dashed_name: process-parent-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: process.parent.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +process.parent.pgid: + dashed_name: process-parent-pgid + description: Identifier of the group of processes the process belongs to. + flat_name: process.parent.pgid + format: string + level: extended + name: pgid + normalize: [] + original_fieldset: process + short: Identifier of the group of processes the process belongs to. + type: long +process.parent.pid: + dashed_name: process-parent-pid + description: Process id. + example: 4242 + flat_name: process.parent.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long +process.parent.ppid: + dashed_name: process-parent-ppid + description: Parent process' pid. + example: 4241 + flat_name: process.parent.ppid + format: string + level: extended + name: ppid + normalize: [] + original_fieldset: process + short: Parent process' pid. + type: long +process.parent.start: + dashed_name: process-parent-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.parent.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date +process.parent.thread.id: + dashed_name: process-parent-thread-id + description: Thread ID. + example: 4242 + flat_name: process.parent.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long +process.parent.thread.name: + dashed_name: process-parent-thread-name + description: Thread name. + example: thread-0 + flat_name: process.parent.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword +process.parent.title: + dashed_name: process-parent-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: for + example a browser setting its title to the web page currently opened.' + flat_name: process.parent.title + level: extended + multi_fields: + - flat_name: process.parent.title.text + name: text + norms: false + type: text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: wildcard +process.parent.uptime: + dashed_name: process-parent-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.parent.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long +process.parent.working_directory: + dashed_name: process-parent-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.parent.working_directory + level: extended + multi_fields: + - flat_name: process.parent.working_directory.text + name: text + norms: false + type: text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: wildcard +process.pe.architecture: + dashed_name: process-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +process.pe.company: + dashed_name: process-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +process.pe.description: + dashed_name: process-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +process.pe.file_version: + dashed_name: process-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +process.pe.imphash: + dashed_name: process-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +process.pe.original_file_name: + dashed_name: process-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard +process.pe.product: + dashed_name: process-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: process.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +process.pgid: + dashed_name: process-pgid + description: Identifier of the group of processes the process belongs to. + flat_name: process.pgid + format: string + level: extended + name: pgid + normalize: [] + short: Identifier of the group of processes the process belongs to. + type: long +process.pid: + dashed_name: process-pid + description: Process id. + example: 4242 + flat_name: process.pid + format: string + level: core + name: pid + normalize: [] + short: Process id. + type: long +process.ppid: + dashed_name: process-ppid + description: Parent process' pid. + example: 4241 + flat_name: process.ppid + format: string + level: extended + name: ppid + normalize: [] + short: Parent process' pid. + type: long +process.start: + dashed_name: process-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.start + level: extended + name: start + normalize: [] + short: The time the process started. + type: date +process.thread.id: + dashed_name: process-thread-id + description: Thread ID. + example: 4242 + flat_name: process.thread.id + format: string + level: extended + name: thread.id + normalize: [] + short: Thread ID. + type: long +process.thread.name: + dashed_name: process-thread-name + description: Thread name. + example: thread-0 + flat_name: process.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + short: Thread name. + type: keyword +process.title: + dashed_name: process-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: for + example a browser setting its title to the web page currently opened.' + flat_name: process.title + level: extended + multi_fields: + - flat_name: process.title.text + name: text + norms: false + type: text + name: title + normalize: [] + short: Process title. + type: wildcard +process.uptime: + dashed_name: process-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.uptime + level: extended + name: uptime + normalize: [] + short: Seconds the process has been up. + type: long +process.working_directory: + dashed_name: process-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.working_directory + level: extended + multi_fields: + - flat_name: process.working_directory.text + name: text + norms: false + type: text + name: working_directory + normalize: [] + short: The working directory of the process. + type: wildcard +registry.data.bytes: + dashed_name: registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + short: Original bytes written with base64 encoding. + type: keyword +registry.data.strings: + dashed_name: registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: registry.data.strings + level: core + name: data.strings + normalize: + - array + short: List of strings representing what was written to the registry. + type: wildcard +registry.data.type: + dashed_name: registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + short: Standard registry type for encoding contents + type: keyword +registry.hive: + dashed_name: registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + short: Abbreviated name for the hive. + type: keyword +registry.key: + dashed_name: registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: registry.key + level: core + name: key + normalize: [] + short: Hive-relative path of keys. + type: wildcard +registry.path: + dashed_name: registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: registry.path + level: core + name: path + normalize: [] + short: Full path, including hive, key and value + type: wildcard +registry.value: + dashed_name: registry-value + description: Name of the value written. + example: Debugger + flat_name: registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + short: Name of the value written. + type: keyword +related.hash: + dashed_name: related-hash + description: All the hashes seen on your event. Populating this field, then using + it to search for hashes can help in situations where you're unsure what the hash + algorithm is (and therefore which key name to search). + flat_name: related.hash + ignore_above: 1024 + level: extended + name: hash + normalize: + - array + short: All the hashes seen on your event. + type: keyword +related.hosts: + dashed_name: related-hosts + description: All hostnames or other host identifiers seen on your event. Example + identifiers include FQDNs, domain names, workstation names, or aliases. + flat_name: related.hosts + ignore_above: 1024 + level: extended + name: hosts + normalize: + - array + short: All the host identifiers seen on your event. + type: keyword +related.ip: + dashed_name: related-ip + description: All of the IPs seen on your event. + flat_name: related.ip + level: extended + name: ip + normalize: + - array + short: All of the IPs seen on your event. + type: ip +related.user: + dashed_name: related-user + description: All the user names seen on your event. + flat_name: related.user + ignore_above: 1024 + level: extended + name: user + normalize: + - array + short: All the user names seen on your event. + type: keyword +rule.author: + dashed_name: rule-author + description: Name, organization, or pseudonym of the author or authors who created + the rule used to generate this event. + example: '["Star-Lord"]' + flat_name: rule.author + ignore_above: 1024 + level: extended + name: author + normalize: + - array + short: Rule author + type: keyword +rule.category: + dashed_name: rule-category + description: A categorization value keyword used by the entity using the rule for + detection of this event. + example: Attempted Information Leak + flat_name: rule.category + ignore_above: 1024 + level: extended + name: category + normalize: [] + short: Rule category + type: keyword +rule.description: + dashed_name: rule-description + description: The description of the rule generating the event. + example: Block requests to public DNS over HTTPS / TLS protocols + flat_name: rule.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + short: Rule description + type: keyword +rule.id: + dashed_name: rule-id + description: A rule ID that is unique within the scope of an agent, observer, or + other entity using the rule for detection of this event. + example: 101 + flat_name: rule.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + short: Rule ID + type: keyword +rule.license: + dashed_name: rule-license + description: Name of the license under which the rule used to generate this event + is made available. + example: Apache 2.0 + flat_name: rule.license + ignore_above: 1024 + level: extended + name: license + normalize: [] + short: Rule license + type: keyword +rule.name: + dashed_name: rule-name + description: The name of the rule or signature generating the event. + example: BLOCK_DNS_over_TLS + flat_name: rule.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Rule name + type: keyword +rule.reference: + dashed_name: rule-reference + description: 'Reference URL to additional information about the rule used to generate + this event. + + The URL can point to the vendor''s documentation about the rule. If that''s not + available, it can also be a link to a more general page describing this type of + alert.' + example: https://en.wikipedia.org/wiki/DNS_over_TLS + flat_name: rule.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + short: Rule reference URL + type: keyword +rule.ruleset: + dashed_name: rule-ruleset + description: Name of the ruleset, policy, group, or parent category in which the + rule used to generate this event is a member. + example: Standard_Protocol_Filters + flat_name: rule.ruleset + ignore_above: 1024 + level: extended + name: ruleset + normalize: [] + short: Rule ruleset + type: keyword +rule.uuid: + dashed_name: rule-uuid + description: A rule ID that is unique within the scope of a set or group of agents, + observers, or other entities using the rule for detection of this event. + example: 1100110011 + flat_name: rule.uuid + ignore_above: 1024 + level: extended + name: uuid + normalize: [] + short: Rule UUID + type: keyword +rule.version: + dashed_name: rule-version + description: The version / revision of the rule being used for analysis. + example: 1.1 + flat_name: rule.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + short: Rule version + type: keyword +server.address: + dashed_name: server-address + description: 'Some event server addresses are defined ambiguously. The event will + sometimes list an IP, a domain or a unix socket. You should always store the + raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: server.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + short: Server network address. + type: keyword +server.as.number: + dashed_name: server-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: server.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +server.as.organization.name: + dashed_name: server-as-organization-name + description: Organization name. + example: Google LLC + flat_name: server.as.organization.name + level: extended + multi_fields: + - flat_name: server.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard +server.bytes: + dashed_name: server-bytes + description: Bytes sent from the server to the client. + example: 184 + flat_name: server.bytes + format: bytes + level: core + name: bytes + normalize: [] + short: Bytes sent from the server to the client. + type: long +server.domain: + dashed_name: server-domain + description: Server domain. + flat_name: server.domain + level: core + name: domain + normalize: [] + short: Server domain. + type: wildcard +server.geo.city_name: + dashed_name: server-geo-city-name + description: City name. + example: Montreal + flat_name: server.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +server.geo.continent_name: + dashed_name: server-geo-continent-name + description: Name of the continent. + example: North America + flat_name: server.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +server.geo.country_iso_code: + dashed_name: server-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: server.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +server.geo.country_name: + dashed_name: server-geo-country-name + description: Country name. + example: Canada + flat_name: server.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +server.geo.location: + dashed_name: server-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: server.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +server.geo.name: + dashed_name: server-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: server.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard +server.geo.region_iso_code: + dashed_name: server-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: server.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +server.geo.region_name: + dashed_name: server-geo-region-name + description: Region name. + example: Quebec + flat_name: server.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +server.ip: + dashed_name: server-ip + description: IP address of the server (IPv4 or IPv6). + flat_name: server.ip + level: core + name: ip + normalize: [] + short: IP address of the server. + type: ip +server.mac: + dashed_name: server-mac + description: MAC address of the server. + flat_name: server.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + short: MAC address of the server. + type: keyword +server.nat.ip: + dashed_name: server-nat-ip + description: 'Translated ip of destination based NAT sessions (e.g. internet to + private DMZ) + + Typically used with load balancers, firewalls, or routers.' + flat_name: server.nat.ip + level: extended + name: nat.ip + normalize: [] + short: Server NAT ip + type: ip +server.nat.port: + dashed_name: server-nat-port + description: 'Translated port of destination based NAT sessions (e.g. internet to + private DMZ) + + Typically used with load balancers, firewalls, or routers.' + flat_name: server.nat.port + format: string + level: extended + name: nat.port + normalize: [] + short: Server NAT port + type: long +server.packets: + dashed_name: server-packets + description: Packets sent from the server to the client. + example: 12 + flat_name: server.packets + level: core + name: packets + normalize: [] + short: Packets sent from the server to the client. + type: long +server.port: + dashed_name: server-port + description: Port of the server. + flat_name: server.port + format: string + level: core + name: port + normalize: [] + short: Port of the server. + type: long +server.registered_domain: + dashed_name: server-registered-domain + description: 'The highest registered server domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: server.registered_domain + level: extended + name: registered_domain + normalize: [] + short: The highest registered server domain, stripped of the subdomain. + type: wildcard +server.subdomain: + dashed_name: server-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: server.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword +server.top_level_domain: + dashed_name: server-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: server.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + short: The effective top level domain (com, org, net, co.uk). + type: keyword +server.user.domain: + dashed_name: server-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: server.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +server.user.email: + dashed_name: server-user-email + description: User email address. + flat_name: server.user.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard +server.user.full_name: + dashed_name: server-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: server.user.full_name + level: extended + multi_fields: + - flat_name: server.user.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard +server.user.group.domain: + dashed_name: server-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: server.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +server.user.group.id: + dashed_name: server-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: server.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +server.user.group.name: + dashed_name: server-user-group-name + description: Name of the group. + flat_name: server.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +server.user.hash: + dashed_name: server-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: server.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +server.user.id: + dashed_name: server-user-id + description: Unique identifier of the user. + flat_name: server.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +server.user.name: + dashed_name: server-user-name + description: Short name or login of the user. + example: albert + flat_name: server.user.name + level: core + multi_fields: + - flat_name: server.user.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard +server.user.roles: + dashed_name: server-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: server.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword +service.ephemeral_id: + dashed_name: service-ephemeral-id + description: 'Ephemeral identifier of this service (if one exists). + + This id normally changes across restarts, but `service.id` does not.' + example: 8a4f500f + flat_name: service.ephemeral_id + ignore_above: 1024 + level: extended + name: ephemeral_id + normalize: [] + short: Ephemeral identifier of this service. + type: keyword +service.id: + dashed_name: service-id + description: 'Unique identifier of the running service. If the service is comprised + of many nodes, the `service.id` should be the same for all nodes. + + This id should uniquely identify the service. This makes it possible to correlate + logs and metrics for one specific service, no matter which particular node emitted + the event. + + Note that if you need to see the events from one specific host of the service, + you should filter on that `host.name` or `host.id` instead.' + example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + flat_name: service.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique identifier of the running service. + type: keyword +service.name: + dashed_name: service-name + description: 'Name of the service data is collected from. + + The name of the service is normally user given. This allows for distributed services + that run on multiple hosts to correlate the related instances based on the name. + + In the case of Elasticsearch the `service.name` could contain the cluster name. + For Beats the `service.name` is by default a copy of the `service.type` field + if no name is specified.' + example: elasticsearch-metrics + flat_name: service.name + ignore_above: 1024 + level: core + name: name + normalize: [] + short: Name of the service. + type: keyword +service.node.name: + dashed_name: service-node-name + description: 'Name of a service node. + + This allows for two nodes of the same service running on the same host to be differentiated. + Therefore, `service.node.name` should typically be unique across nodes of a given + service. + + In the case of Elasticsearch, the `service.node.name` could contain the unique + node name within the Elasticsearch cluster. In cases where the service doesn''t + have the concept of a node name, the host name or container name can be used to + distinguish running instances that make up this service. If those do not provide + uniqueness (e.g. multiple instances of the service running on the same host) - + the node name can be manually set.' + example: instance-0000000016 + flat_name: service.node.name + ignore_above: 1024 + level: extended + name: node.name + normalize: [] + short: Name of the service node. + type: keyword +service.state: + dashed_name: service-state + description: Current state of the service. + flat_name: service.state + ignore_above: 1024 + level: core + name: state + normalize: [] + short: Current state of the service. + type: keyword +service.type: + dashed_name: service-type + description: 'The type of the service data is collected from. + + The type can be used to group and correlate logs and metrics from one service + type. + + Example: If logs or metrics are collected from Elasticsearch, `service.type` would + be `elasticsearch`.' + example: elasticsearch + flat_name: service.type + ignore_above: 1024 + level: core + name: type + normalize: [] + short: The type of the service. + type: keyword +service.version: + dashed_name: service-version + description: 'Version of the service the data was collected from. + + This allows to look at a data set only for a specific version of a service.' + example: 3.2.4 + flat_name: service.version + ignore_above: 1024 + level: core + name: version + normalize: [] + short: Version of the service. + type: keyword +source.address: + dashed_name: source-address + description: 'Some event source addresses are defined ambiguously. The event will + sometimes list an IP, a domain or a unix socket. You should always store the + raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one it + is.' + flat_name: source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + short: Source network address. + type: keyword +source.as.number: + dashed_name: source-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +source.as.organization.name: + dashed_name: source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: source.as.organization.name + level: extended + multi_fields: + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard +source.bytes: + dashed_name: source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: source.bytes + format: bytes + level: core + name: bytes + normalize: [] + short: Bytes sent from the source to the destination. + type: long +source.domain: + dashed_name: source-domain + description: Source domain. + flat_name: source.domain + level: core + name: domain + normalize: [] + short: Source domain. + type: wildcard +source.geo.city_name: + dashed_name: source-geo-city-name + description: City name. + example: Montreal + flat_name: source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +source.geo.continent_name: + dashed_name: source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +source.geo.country_iso_code: + dashed_name: source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +source.geo.country_name: + dashed_name: source-geo-country-name + description: Country name. + example: Canada + flat_name: source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +source.geo.location: + dashed_name: source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +source.geo.name: + dashed_name: source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: source.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard +source.geo.region_iso_code: + dashed_name: source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +source.geo.region_name: + dashed_name: source-geo-region-name + description: Region name. + example: Quebec + flat_name: source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +source.ip: + dashed_name: source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: source.ip + level: core + name: ip + normalize: [] + short: IP address of the source. + type: ip +source.mac: + dashed_name: source-mac + description: MAC address of the source. + flat_name: source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + short: MAC address of the source. + type: keyword +source.nat.ip: + dashed_name: source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client to + internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: source.nat.ip + level: extended + name: nat.ip + normalize: [] + short: Source NAT ip + type: ip +source.nat.port: + dashed_name: source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + short: Source NAT port + type: long +source.packets: + dashed_name: source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: source.packets + level: core + name: packets + normalize: [] + short: Packets sent from the source to the destination. + type: long +source.port: + dashed_name: source-port + description: Port of the source. + flat_name: source.port + format: string + level: core + name: port + normalize: [] + short: Port of the source. + type: long +source.registered_domain: + dashed_name: source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: source.registered_domain + level: extended + name: registered_domain + normalize: [] + short: The highest registered source domain, stripped of the subdomain. + type: wildcard +source.subdomain: + dashed_name: source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword +source.top_level_domain: + dashed_name: source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + short: The effective top level domain (com, org, net, co.uk). + type: keyword +source.user.domain: + dashed_name: source-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: source.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +source.user.email: + dashed_name: source-user-email + description: User email address. + flat_name: source.user.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard +source.user.full_name: + dashed_name: source-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: source.user.full_name + level: extended + multi_fields: + - flat_name: source.user.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard +source.user.group.domain: + dashed_name: source-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: source.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +source.user.group.id: + dashed_name: source-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: source.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +source.user.group.name: + dashed_name: source-user-group-name + description: Name of the group. + flat_name: source.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +source.user.hash: + dashed_name: source-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: source.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +source.user.id: + dashed_name: source-user-id + description: Unique identifier of the user. + flat_name: source.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +source.user.name: + dashed_name: source-user-name + description: Short name or login of the user. + example: albert + flat_name: source.user.name + level: core + multi_fields: + - flat_name: source.user.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard +source.user.roles: + dashed_name: source-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: source.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword +span.id: + dashed_name: span-id + description: 'Unique identifier of the span within the scope of its trace. + + A span represents an operation within a transaction, such as a request to another + service, or a database query.' + example: 3ff9a8981b7ccd5a + flat_name: span.id + ignore_above: 1024 + level: extended + name: span.id + normalize: [] + short: Unique identifier of the span within the scope of its trace. + type: keyword +tags: + dashed_name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + flat_name: tags + ignore_above: 1024 + level: core + name: tags + normalize: + - array + short: List of keywords used to tag each event. + type: keyword +threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification can + be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework + ignore_above: 1024 + level: extended + name: framework + normalize: [] + short: Threat classification framework. + type: keyword +threat.tactic.id: + dashed_name: threat-tactic-id + description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ + \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" + example: TA0002 + flat_name: threat.tactic.id + ignore_above: 1024 + level: extended + name: tactic.id + normalize: + - array + short: Threat tactic id. + type: keyword +threat.tactic.name: + dashed_name: threat-tactic-name + description: "Name of the type of tactic used by this threat. You can use a MITRE\ + \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" + example: Execution + flat_name: threat.tactic.name + ignore_above: 1024 + level: extended + name: tactic.name + normalize: + - array + short: Threat tactic. + type: keyword +threat.tactic.reference: + dashed_name: threat-tactic-reference + description: "The reference url of tactic used by this threat. You can use a MITRE\ + \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ + \ )" + example: https://attack.mitre.org/tactics/TA0002/ + flat_name: threat.tactic.reference + ignore_above: 1024 + level: extended + name: tactic.reference + normalize: + - array + short: Threat tactic URL reference. + type: keyword +threat.technique.id: + dashed_name: threat-technique-id + description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: T1059 + flat_name: threat.technique.id + ignore_above: 1024 + level: extended + name: technique.id + normalize: + - array + short: Threat technique id. + type: keyword +threat.technique.name: + dashed_name: threat-technique-name + description: "The name of technique used by this threat. You can use a MITRE ATT&CK\xAE\ + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: Command and Scripting Interpreter + flat_name: threat.technique.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.technique.name.text + name: text + norms: false + type: text + name: technique.name + normalize: + - array + short: Threat technique name. + type: keyword +threat.technique.reference: + dashed_name: threat-technique-reference + description: "The reference url of technique used by this threat. You can use a\ + \ MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: https://attack.mitre.org/techniques/T1059/ + flat_name: threat.technique.reference + ignore_above: 1024 + level: extended + name: technique.reference + normalize: + - array + short: Threat technique URL reference. + type: keyword +threat.technique.subtechnique.id: + dashed_name: threat-technique-subtechnique-id + description: "The full id of subtechnique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: T1059.001 + flat_name: threat.technique.subtechnique.id + ignore_above: 1024 + level: extended + name: technique.subtechnique.id + normalize: + - array + short: Threat subtechnique id. + type: keyword +threat.technique.subtechnique.name: + dashed_name: threat-technique-subtechnique-name + description: "The name of subtechnique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: PowerShell + flat_name: threat.technique.subtechnique.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.technique.subtechnique.name.text + name: text + norms: false + type: text + name: technique.subtechnique.name + normalize: + - array + short: Threat subtechnique name. + type: keyword +threat.technique.subtechnique.reference: + dashed_name: threat-technique-subtechnique-reference + description: "The reference url of subtechnique used by this threat. You can use\ + \ a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: https://attack.mitre.org/techniques/T1059/001/ + flat_name: threat.technique.subtechnique.reference + ignore_above: 1024 + level: extended + name: technique.subtechnique.reference + normalize: + - array + short: Threat subtechnique URL reference. + type: keyword +tls.cipher: + dashed_name: tls-cipher + description: String indicating the cipher used during the current connection. + example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + flat_name: tls.cipher + ignore_above: 1024 + level: extended + name: cipher + normalize: [] + short: String indicating the cipher used during the current connection. + type: keyword +tls.client.certificate: + dashed_name: tls-client-certificate + description: PEM-encoded stand-alone certificate offered by the client. This is + usually mutually-exclusive of `client.certificate_chain` since this value also + exists in that list. + example: MII... + flat_name: tls.client.certificate + ignore_above: 1024 + level: extended + name: client.certificate + normalize: [] + short: PEM-encoded stand-alone certificate offered by the client. + type: keyword +tls.client.certificate_chain: + dashed_name: tls-client-certificate-chain + description: Array of PEM-encoded certificates that make up the certificate chain + offered by the client. This is usually mutually-exclusive of `client.certificate` + since that value should be the first certificate in the chain. + example: '["MII...", "MII..."]' + flat_name: tls.client.certificate_chain + ignore_above: 1024 + level: extended + name: client.certificate_chain + normalize: + - array + short: Array of PEM-encoded certificates that make up the certificate chain offered + by the client. + type: keyword +tls.client.hash.md5: + dashed_name: tls-client-hash-md5 + description: Certificate fingerprint using the MD5 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + flat_name: tls.client.hash.md5 + ignore_above: 1024 + level: extended + name: client.hash.md5 + normalize: [] + short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate + offered by the client. + type: keyword +tls.client.hash.sha1: + dashed_name: tls-client-hash-sha1 + description: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 9E393D93138888D288266C2D915214D1D1CCEB2A + flat_name: tls.client.hash.sha1 + ignore_above: 1024 + level: extended + name: client.hash.sha1 + normalize: [] + short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate + offered by the client. + type: keyword +tls.client.hash.sha256: + dashed_name: tls-client-hash-sha256 + description: Certificate fingerprint using the SHA256 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + flat_name: tls.client.hash.sha256 + ignore_above: 1024 + level: extended + name: client.hash.sha256 + normalize: [] + short: Certificate fingerprint using the SHA256 digest of DER-encoded version of + certificate offered by the client. + type: keyword +tls.client.issuer: + dashed_name: tls-client-issuer + description: Distinguished name of subject of the issuer of the x.509 certificate + presented by the client. + example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + flat_name: tls.client.issuer + level: extended + name: client.issuer + normalize: [] + short: Distinguished name of subject of the issuer of the x.509 certificate presented + by the client. + type: wildcard +tls.client.ja3: + dashed_name: tls-client-ja3 + description: A hash that identifies clients based on how they perform an SSL/TLS + handshake. + example: d4e5b18d6b55c71272893221c96ba240 + flat_name: tls.client.ja3 + ignore_above: 1024 + level: extended + name: client.ja3 + normalize: [] + short: A hash that identifies clients based on how they perform an SSL/TLS handshake. + type: keyword +tls.client.not_after: + dashed_name: tls-client-not-after + description: Date/Time indicating when client certificate is no longer considered + valid. + example: '2021-01-01T00:00:00.000Z' + flat_name: tls.client.not_after + level: extended + name: client.not_after + normalize: [] + short: Date/Time indicating when client certificate is no longer considered valid. + type: date +tls.client.not_before: + dashed_name: tls-client-not-before + description: Date/Time indicating when client certificate is first considered valid. + example: '1970-01-01T00:00:00.000Z' + flat_name: tls.client.not_before + level: extended + name: client.not_before + normalize: [] + short: Date/Time indicating when client certificate is first considered valid. + type: date +tls.client.server_name: + dashed_name: tls-client-server-name + description: Also called an SNI, this tells the server which hostname to which the + client is attempting to connect to. When this value is available, it should get + copied to `destination.domain`. + example: www.elastic.co + flat_name: tls.client.server_name + ignore_above: 1024 + level: extended + name: client.server_name + normalize: [] + short: Hostname the client is trying to connect to. Also called the SNI. + type: keyword +tls.client.subject: + dashed_name: tls-client-subject + description: Distinguished name of subject of the x.509 certificate presented by + the client. + example: CN=myclient, OU=Documentation Team, DC=example, DC=com + flat_name: tls.client.subject + level: extended + name: client.subject + normalize: [] + short: Distinguished name of subject of the x.509 certificate presented by the client. + type: wildcard +tls.client.supported_ciphers: + dashed_name: tls-client-supported-ciphers + description: Array of ciphers offered by the client during the client hello. + example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "..."]' + flat_name: tls.client.supported_ciphers + ignore_above: 1024 + level: extended + name: client.supported_ciphers + normalize: + - array + short: Array of ciphers offered by the client during the client hello. + type: keyword +tls.client.x509.alternative_names: + dashed_name: tls-client-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: tls.client.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword +tls.client.x509.issuer.common_name: + dashed_name: tls-client-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: tls.client.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword +tls.client.x509.issuer.country: + dashed_name: tls-client-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: tls.client.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword +tls.client.x509.issuer.distinguished_name: + dashed_name: tls-client-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: tls.client.x509.issuer.distinguished_name + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard +tls.client.x509.issuer.locality: + dashed_name: tls-client-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: tls.client.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +tls.client.x509.issuer.organization: + dashed_name: tls-client-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: tls.client.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword +tls.client.x509.issuer.organizational_unit: + dashed_name: tls-client-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: tls.client.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword +tls.client.x509.issuer.state_or_province: + dashed_name: tls-client-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.client.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +tls.client.x509.not_after: + dashed_name: tls-client-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: tls.client.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date +tls.client.x509.not_before: + dashed_name: tls-client-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: tls.client.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +tls.client.x509.public_key_algorithm: + dashed_name: tls-client-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: tls.client.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +tls.client.x509.public_key_curve: + dashed_name: tls-client-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: tls.client.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +tls.client.x509.public_key_exponent: + dashed_name: tls-client-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: tls.client.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +tls.client.x509.public_key_size: + dashed_name: tls-client-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: tls.client.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +tls.client.x509.serial_number: + dashed_name: tls-client-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: tls.client.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword +tls.client.x509.signature_algorithm: + dashed_name: tls-client-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: tls.client.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. + type: keyword +tls.client.x509.subject.common_name: + dashed_name: tls-client-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: tls.client.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword +tls.client.x509.subject.country: + dashed_name: tls-client-x509-subject-country + description: List of country (C) code + example: US + flat_name: tls.client.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword +tls.client.x509.subject.distinguished_name: + dashed_name: tls-client-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: tls.client.x509.subject.distinguished_name + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: wildcard +tls.client.x509.subject.locality: + dashed_name: tls-client-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: tls.client.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +tls.client.x509.subject.organization: + dashed_name: tls-client-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: tls.client.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword +tls.client.x509.subject.organizational_unit: + dashed_name: tls-client-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: tls.client.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +tls.client.x509.subject.state_or_province: + dashed_name: tls-client-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.client.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +tls.client.x509.version_number: + dashed_name: tls-client-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: tls.client.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword +tls.curve: + dashed_name: tls-curve + description: String indicating the curve used for the given cipher, when applicable. + example: secp256r1 + flat_name: tls.curve + ignore_above: 1024 + level: extended + name: curve + normalize: [] + short: String indicating the curve used for the given cipher, when applicable. + type: keyword +tls.established: + dashed_name: tls-established + description: Boolean flag indicating if the TLS negotiation was successful and transitioned + to an encrypted tunnel. + flat_name: tls.established + level: extended + name: established + normalize: [] + short: Boolean flag indicating if the TLS negotiation was successful and transitioned + to an encrypted tunnel. + type: boolean +tls.next_protocol: + dashed_name: tls-next-protocol + description: String indicating the protocol being tunneled. Per the values in the + IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), + this string should be lower case. + example: http/1.1 + flat_name: tls.next_protocol + ignore_above: 1024 + level: extended + name: next_protocol + normalize: [] + short: String indicating the protocol being tunneled. + type: keyword +tls.resumed: + dashed_name: tls-resumed + description: Boolean flag indicating if this TLS connection was resumed from an + existing TLS negotiation. + flat_name: tls.resumed + level: extended + name: resumed + normalize: [] + short: Boolean flag indicating if this TLS connection was resumed from an existing + TLS negotiation. + type: boolean +tls.server.certificate: + dashed_name: tls-server-certificate + description: PEM-encoded stand-alone certificate offered by the server. This is + usually mutually-exclusive of `server.certificate_chain` since this value also + exists in that list. + example: MII... + flat_name: tls.server.certificate + ignore_above: 1024 + level: extended + name: server.certificate + normalize: [] + short: PEM-encoded stand-alone certificate offered by the server. + type: keyword +tls.server.certificate_chain: + dashed_name: tls-server-certificate-chain + description: Array of PEM-encoded certificates that make up the certificate chain + offered by the server. This is usually mutually-exclusive of `server.certificate` + since that value should be the first certificate in the chain. + example: '["MII...", "MII..."]' + flat_name: tls.server.certificate_chain + ignore_above: 1024 + level: extended + name: server.certificate_chain + normalize: + - array + short: Array of PEM-encoded certificates that make up the certificate chain offered + by the server. + type: keyword +tls.server.hash.md5: + dashed_name: tls-server-hash-md5 + description: Certificate fingerprint using the MD5 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + flat_name: tls.server.hash.md5 + ignore_above: 1024 + level: extended + name: server.hash.md5 + normalize: [] + short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate + offered by the server. + type: keyword +tls.server.hash.sha1: + dashed_name: tls-server-hash-sha1 + description: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 9E393D93138888D288266C2D915214D1D1CCEB2A + flat_name: tls.server.hash.sha1 + ignore_above: 1024 + level: extended + name: server.hash.sha1 + normalize: [] + short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate + offered by the server. + type: keyword +tls.server.hash.sha256: + dashed_name: tls-server-hash-sha256 + description: Certificate fingerprint using the SHA256 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + flat_name: tls.server.hash.sha256 + ignore_above: 1024 + level: extended + name: server.hash.sha256 + normalize: [] + short: Certificate fingerprint using the SHA256 digest of DER-encoded version of + certificate offered by the server. + type: keyword +tls.server.issuer: + dashed_name: tls-server-issuer + description: Subject of the issuer of the x.509 certificate presented by the server. + example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + flat_name: tls.server.issuer + level: extended + name: server.issuer + normalize: [] + short: Subject of the issuer of the x.509 certificate presented by the server. + type: wildcard +tls.server.ja3s: + dashed_name: tls-server-ja3s + description: A hash that identifies servers based on how they perform an SSL/TLS + handshake. + example: 394441ab65754e2207b1e1b457b3641d + flat_name: tls.server.ja3s + ignore_above: 1024 + level: extended + name: server.ja3s + normalize: [] + short: A hash that identifies servers based on how they perform an SSL/TLS handshake. + type: keyword +tls.server.not_after: + dashed_name: tls-server-not-after + description: Timestamp indicating when server certificate is no longer considered + valid. + example: '2021-01-01T00:00:00.000Z' + flat_name: tls.server.not_after + level: extended + name: server.not_after + normalize: [] + short: Timestamp indicating when server certificate is no longer considered valid. + type: date +tls.server.not_before: + dashed_name: tls-server-not-before + description: Timestamp indicating when server certificate is first considered valid. + example: '1970-01-01T00:00:00.000Z' + flat_name: tls.server.not_before + level: extended + name: server.not_before + normalize: [] + short: Timestamp indicating when server certificate is first considered valid. + type: date +tls.server.subject: + dashed_name: tls-server-subject + description: Subject of the x.509 certificate presented by the server. + example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + flat_name: tls.server.subject + level: extended + name: server.subject + normalize: [] + short: Subject of the x.509 certificate presented by the server. + type: wildcard +tls.server.x509.alternative_names: + dashed_name: tls-server-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: tls.server.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword +tls.server.x509.issuer.common_name: + dashed_name: tls-server-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: tls.server.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword +tls.server.x509.issuer.country: + dashed_name: tls-server-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: tls.server.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword +tls.server.x509.issuer.distinguished_name: + dashed_name: tls-server-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: tls.server.x509.issuer.distinguished_name + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard +tls.server.x509.issuer.locality: + dashed_name: tls-server-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: tls.server.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +tls.server.x509.issuer.organization: + dashed_name: tls-server-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: tls.server.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword +tls.server.x509.issuer.organizational_unit: + dashed_name: tls-server-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: tls.server.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword +tls.server.x509.issuer.state_or_province: + dashed_name: tls-server-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.server.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +tls.server.x509.not_after: + dashed_name: tls-server-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: tls.server.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date +tls.server.x509.not_before: + dashed_name: tls-server-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: tls.server.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +tls.server.x509.public_key_algorithm: + dashed_name: tls-server-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: tls.server.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +tls.server.x509.public_key_curve: + dashed_name: tls-server-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: tls.server.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +tls.server.x509.public_key_exponent: + dashed_name: tls-server-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: tls.server.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +tls.server.x509.public_key_size: + dashed_name: tls-server-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: tls.server.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +tls.server.x509.serial_number: + dashed_name: tls-server-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: tls.server.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword +tls.server.x509.signature_algorithm: + dashed_name: tls-server-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: tls.server.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. + type: keyword +tls.server.x509.subject.common_name: + dashed_name: tls-server-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: tls.server.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword +tls.server.x509.subject.country: + dashed_name: tls-server-x509-subject-country + description: List of country (C) code + example: US + flat_name: tls.server.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword +tls.server.x509.subject.distinguished_name: + dashed_name: tls-server-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: tls.server.x509.subject.distinguished_name + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: wildcard +tls.server.x509.subject.locality: + dashed_name: tls-server-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: tls.server.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +tls.server.x509.subject.organization: + dashed_name: tls-server-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: tls.server.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword +tls.server.x509.subject.organizational_unit: + dashed_name: tls-server-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: tls.server.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +tls.server.x509.subject.state_or_province: + dashed_name: tls-server-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.server.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +tls.server.x509.version_number: + dashed_name: tls-server-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: tls.server.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword +tls.version: + dashed_name: tls-version + description: Numeric part of the version parsed from the original string. + example: '1.2' + flat_name: tls.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + short: Numeric part of the version parsed from the original string. + type: keyword +tls.version_protocol: + dashed_name: tls-version-protocol + description: Normalized lowercase protocol name parsed from original string. + example: tls + flat_name: tls.version_protocol + ignore_above: 1024 + level: extended + name: version_protocol + normalize: [] + short: Normalized lowercase protocol name parsed from original string. + type: keyword +trace.id: + dashed_name: trace-id + description: 'Unique identifier of the trace. + + A trace groups multiple events like transactions that belong together. For example, + a user request handled by multiple inter-connected services.' + example: 4bf92f3577b34da6a3ce929d0e0e4736 + flat_name: trace.id + ignore_above: 1024 + level: extended + name: trace.id + normalize: [] + short: Unique identifier of the trace. + type: keyword +transaction.id: + dashed_name: transaction-id + description: 'Unique identifier of the transaction within the scope of its trace. + + A transaction is the highest level of work measured within a service, such as + a request to a server.' + example: 00f067aa0ba902b7 + flat_name: transaction.id + ignore_above: 1024 + level: extended + name: transaction.id + normalize: [] + short: Unique identifier of the transaction within the scope of its trace. + type: keyword +url.domain: + dashed_name: url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field.' + example: www.elastic.co + flat_name: url.domain + level: extended + name: domain + normalize: [] + short: Domain of the url. + type: wildcard +url.extension: + dashed_name: url-extension + description: 'The field contains the file extension from the original request url. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png".' + example: png + flat_name: url.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + short: File extension from the original request url. + type: keyword +url.fragment: + dashed_name: url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: url.fragment + ignore_above: 1024 + level: extended + name: fragment + normalize: [] + short: Portion of the url after the `#`. + type: keyword +url.full: + dashed_name: url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: url.full + level: extended + multi_fields: + - flat_name: url.full.text + name: text + norms: false + type: text + name: full + normalize: [] + short: Full unparsed URL. + type: wildcard +url.original: + dashed_name: url-original + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas in + access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: url.original + level: extended + multi_fields: + - flat_name: url.original.text + name: text + norms: false + type: text + name: original + normalize: [] + short: Unmodified original url as seen in the event source. + type: wildcard +url.password: + dashed_name: url-password + description: Password of the request. + flat_name: url.password + ignore_above: 1024 + level: extended + name: password + normalize: [] + short: Password of the request. + type: keyword +url.path: + dashed_name: url-path + description: Path of the request, such as "/search". + flat_name: url.path + level: extended + name: path + normalize: [] + short: Path of the request, such as "/search". + type: wildcard +url.port: + dashed_name: url-port + description: Port of the request, such as 443. + example: 443 + flat_name: url.port + format: string + level: extended + name: port + normalize: [] + short: Port of the request, such as 443. + type: long +url.query: + dashed_name: url-query + description: 'The query field describes the query string of the request, such as + "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there is + no query field. If there is a `?` but no query, the query field exists with an + empty string. The `exists` query can be used to differentiate between the two + cases.' + flat_name: url.query + ignore_above: 1024 + level: extended + name: query + normalize: [] + short: Query string of the request. + type: keyword +url.registered_domain: + dashed_name: url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: url.registered_domain + level: extended + name: registered_domain + normalize: [] + short: The highest registered url domain, stripped of the subdomain. + type: wildcard +url.scheme: + dashed_name: url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: url.scheme + ignore_above: 1024 + level: extended + name: scheme + normalize: [] + short: Scheme of the url. + type: keyword +url.subdomain: + dashed_name: url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword +url.top_level_domain: + dashed_name: url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: url.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + short: The effective top level domain (com, org, net, co.uk). + type: keyword +url.username: + dashed_name: url-username + description: Username of the request. + flat_name: url.username + ignore_above: 1024 + level: extended + name: username + normalize: [] + short: Username of the request. + type: keyword +user.changes.domain: + dashed_name: user-changes-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.changes.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +user.changes.email: + dashed_name: user-changes-email + description: User email address. + flat_name: user.changes.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard +user.changes.full_name: + dashed_name: user-changes-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.changes.full_name + level: extended + multi_fields: + - flat_name: user.changes.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard +user.changes.group.domain: + dashed_name: user-changes-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.changes.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +user.changes.group.id: + dashed_name: user-changes-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.changes.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +user.changes.group.name: + dashed_name: user-changes-group-name + description: Name of the group. + flat_name: user.changes.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +user.changes.hash: + dashed_name: user-changes-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.changes.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +user.changes.id: + dashed_name: user-changes-id + description: Unique identifier of the user. + flat_name: user.changes.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +user.changes.name: + dashed_name: user-changes-name + description: Short name or login of the user. + example: albert + flat_name: user.changes.name + level: core + multi_fields: + - flat_name: user.changes.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard +user.changes.roles: + dashed_name: user-changes-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: user.changes.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword +user.domain: + dashed_name: user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + short: Name of the directory the user is a member of. + type: keyword +user.effective.domain: + dashed_name: user-effective-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.effective.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +user.effective.email: + dashed_name: user-effective-email + description: User email address. + flat_name: user.effective.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard +user.effective.full_name: + dashed_name: user-effective-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.effective.full_name + level: extended + multi_fields: + - flat_name: user.effective.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard +user.effective.group.domain: + dashed_name: user-effective-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.effective.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +user.effective.group.id: + dashed_name: user-effective-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.effective.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +user.effective.group.name: + dashed_name: user-effective-group-name + description: Name of the group. + flat_name: user.effective.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +user.effective.hash: + dashed_name: user-effective-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.effective.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +user.effective.id: + dashed_name: user-effective-id + description: Unique identifier of the user. + flat_name: user.effective.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +user.effective.name: + dashed_name: user-effective-name + description: Short name or login of the user. + example: albert + flat_name: user.effective.name + level: core + multi_fields: + - flat_name: user.effective.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard +user.effective.roles: + dashed_name: user-effective-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: user.effective.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword +user.email: + dashed_name: user-email + description: User email address. + flat_name: user.email + level: extended + name: email + normalize: [] + short: User email address. + type: wildcard +user.full_name: + dashed_name: user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.full_name + level: extended + multi_fields: + - flat_name: user.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + short: User's full name, if available. + type: wildcard +user.group.domain: + dashed_name: user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +user.group.id: + dashed_name: user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +user.group.name: + dashed_name: user-group-name + description: Name of the group. + flat_name: user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +user.hash: + dashed_name: user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +user.id: + dashed_name: user-id + description: Unique identifier of the user. + flat_name: user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique identifier of the user. + type: keyword +user.name: + dashed_name: user-name + description: Short name or login of the user. + example: albert + flat_name: user.name + level: core + multi_fields: + - flat_name: user.name.text + name: text + norms: false + type: text + name: name + normalize: [] + short: Short name or login of the user. + type: wildcard +user.roles: + dashed_name: user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + short: Array of user roles at the time of the event. + type: keyword +user.target.domain: + dashed_name: user-target-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.target.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +user.target.email: + dashed_name: user-target-email + description: User email address. + flat_name: user.target.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard +user.target.full_name: + dashed_name: user-target-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.target.full_name + level: extended + multi_fields: + - flat_name: user.target.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard +user.target.group.domain: + dashed_name: user-target-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.target.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +user.target.group.id: + dashed_name: user-target-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.target.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +user.target.group.name: + dashed_name: user-target-group-name + description: Name of the group. + flat_name: user.target.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +user.target.hash: + dashed_name: user-target-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.target.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +user.target.id: + dashed_name: user-target-id + description: Unique identifier of the user. + flat_name: user.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +user.target.name: + dashed_name: user-target-name + description: Short name or login of the user. + example: albert + flat_name: user.target.name + level: core + multi_fields: + - flat_name: user.target.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard +user.target.roles: + dashed_name: user-target-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: user.target.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword +user_agent.device.name: + dashed_name: user-agent-device-name + description: Name of the device. + example: iPhone + flat_name: user_agent.device.name + ignore_above: 1024 + level: extended + name: device.name + normalize: [] + short: Name of the device. + type: keyword +user_agent.name: + dashed_name: user-agent-name + description: Name of the user agent. + example: Safari + flat_name: user_agent.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Name of the user agent. + type: keyword +user_agent.original: + dashed_name: user-agent-original + description: Unparsed user_agent string. + example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 + (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 + flat_name: user_agent.original + level: extended + multi_fields: + - flat_name: user_agent.original.text + name: text + norms: false + type: text + name: original + normalize: [] + short: Unparsed user_agent string. + type: wildcard +user_agent.os.family: + dashed_name: user-agent-os-family + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + flat_name: user_agent.os.family + ignore_above: 1024 + level: extended + name: family + normalize: [] + original_fieldset: os + short: OS family (such as redhat, debian, freebsd, windows). + type: keyword +user_agent.os.full: + dashed_name: user-agent-os-full + description: Operating system name, including the version or code name. + example: Mac OS Mojave + flat_name: user_agent.os.full + level: extended + multi_fields: + - flat_name: user_agent.os.full.text + name: text + norms: false + type: text + name: full + normalize: [] + original_fieldset: os + short: Operating system name, including the version or code name. + type: wildcard +user_agent.os.kernel: + dashed_name: user-agent-os-kernel + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + flat_name: user_agent.os.kernel + ignore_above: 1024 + level: extended + name: kernel + normalize: [] + original_fieldset: os + short: Operating system kernel version as a raw string. + type: keyword +user_agent.os.name: + dashed_name: user-agent-os-name + description: Operating system name, without the version. + example: Mac OS X + flat_name: user_agent.os.name + level: extended + multi_fields: + - flat_name: user_agent.os.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: os + short: Operating system name, without the version. + type: wildcard +user_agent.os.platform: + dashed_name: user-agent-os-platform + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + flat_name: user_agent.os.platform + ignore_above: 1024 + level: extended + name: platform + normalize: [] + original_fieldset: os + short: Operating system platform (such centos, ubuntu, windows). + type: keyword +user_agent.os.version: + dashed_name: user-agent-os-version + description: Operating system version as a raw string. + example: 10.14.1 + flat_name: user_agent.os.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + original_fieldset: os + short: Operating system version as a raw string. + type: keyword +user_agent.version: + dashed_name: user-agent-version + description: Version of the user agent. + example: 12.0 + flat_name: user_agent.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + short: Version of the user agent. + type: keyword +vulnerability.category: + dashed_name: vulnerability-category + description: 'The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for example, + Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys + vulnerability categories]) + + This field must be an array.' + example: '["Firewall"]' + flat_name: vulnerability.category + ignore_above: 1024 + level: extended + name: category + normalize: + - array + short: Category of a vulnerability. + type: keyword +vulnerability.classification: + dashed_name: vulnerability-classification + description: The classification of the vulnerability scoring system. For example + (https://www.first.org/cvss/) + example: CVSS + flat_name: vulnerability.classification + ignore_above: 1024 + level: extended + name: classification + normalize: [] + short: Classification of the vulnerability. + type: keyword +vulnerability.description: + dashed_name: vulnerability-description + description: The description of the vulnerability that provides additional context + of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common + Vulnerabilities and Exposure CVE description]) + example: In macOS before 2.12.6, there is a vulnerability in the RPC... + flat_name: vulnerability.description + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: vulnerability.description.text + name: text + norms: false + type: text + name: description + normalize: [] + short: Description of the vulnerability. + type: keyword +vulnerability.enumeration: + dashed_name: vulnerability-enumeration + description: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) + example: CVE + flat_name: vulnerability.enumeration + ignore_above: 1024 + level: extended + name: enumeration + normalize: [] + short: Identifier of the vulnerability. + type: keyword +vulnerability.id: + dashed_name: vulnerability-id + description: The identification (ID) is the number portion of a vulnerability entry. + It includes a unique identification number for the vulnerability. For example + (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities + and Exposure CVE ID] + example: CVE-2019-00001 + flat_name: vulnerability.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + short: ID of the vulnerability. + type: keyword +vulnerability.reference: + dashed_name: vulnerability-reference + description: A resource that provides additional information, context, and mitigations + for the identified vulnerability. + example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 + flat_name: vulnerability.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + short: Reference of the vulnerability. + type: keyword +vulnerability.report_id: + dashed_name: vulnerability-report-id + description: The report or scan identification number. + example: 20191018.0001 + flat_name: vulnerability.report_id + ignore_above: 1024 + level: extended + name: report_id + normalize: [] + short: Scan identification number. + type: keyword +vulnerability.scanner.vendor: + dashed_name: vulnerability-scanner-vendor + description: The name of the vulnerability scanner vendor. + example: Tenable + flat_name: vulnerability.scanner.vendor + ignore_above: 1024 + level: extended + name: scanner.vendor + normalize: [] + short: Name of the scanner vendor. + type: keyword +vulnerability.score.base: + dashed_name: vulnerability-score-base + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, complexity, + privileges, and user interaction), impact metrics (confidentiality, integrity, + and availability), and scope. For example (https://www.first.org/cvss/specification-document)' + example: 5.5 + flat_name: vulnerability.score.base + level: extended + name: score.base + normalize: [] + short: Vulnerability Base score. + type: float +vulnerability.score.environmental: + dashed_name: vulnerability-score-environmental + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)' + example: 5.5 + flat_name: vulnerability.score.environmental + level: extended + name: score.environmental + normalize: [] + short: Vulnerability Environmental score. + type: float +vulnerability.score.temporal: + dashed_name: vulnerability-score-temporal + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, and + confidence. For example (https://www.first.org/cvss/specification-document)' + flat_name: vulnerability.score.temporal + level: extended + name: score.temporal + normalize: [] + short: Vulnerability Temporal score. + type: float +vulnerability.score.version: + dashed_name: vulnerability-score-version + description: 'The National Vulnerability Database (NVD) provides qualitative severity + rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition + to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. + + CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, + whose mission is to help computer security incident response teams across the + world. For example (https://nvd.nist.gov/vuln-metrics/cvss)' + example: 2.0 + flat_name: vulnerability.score.version + ignore_above: 1024 + level: extended + name: score.version + normalize: [] + short: CVSS version. + type: keyword +vulnerability.severity: + dashed_name: vulnerability-severity + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical + flat_name: vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + normalize: [] + short: Severity of the vulnerability. + type: keyword diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml new file mode 100644 index 0000000000..1c40d63dfd --- /dev/null +++ b/experimental/generated/ecs/ecs_nested.yml @@ -0,0 +1,10663 @@ +agent: + description: 'The agent fields contain the data about the software entity, if any, + that collects, detects, or observes events on a host, or takes measurements on + a host. + + Examples include Beats. Agents may also run on observers. ECS agent.* fields shall + be populated with details of the agent running on the host or observer where the + event happened or the measurement was taken.' + fields: + agent.build.original: + dashed_name: agent-build-original + description: 'Extended build information for the agent. + + This field is intended to contain any build information that a data source + may provide, no specific formatting is required.' + example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c + built 2020-02-05 23:10:10 +0000 UTC] + flat_name: agent.build.original + level: core + name: build.original + normalize: [] + short: Extended build information for the agent. + type: wildcard + agent.ephemeral_id: + dashed_name: agent-ephemeral-id + description: 'Ephemeral identifier of this agent (if one exists). + + This id normally changes across restarts, but `agent.id` does not.' + example: 8a4f500f + flat_name: agent.ephemeral_id + ignore_above: 1024 + level: extended + name: ephemeral_id + normalize: [] + short: Ephemeral identifier of this agent. + type: keyword + agent.id: + dashed_name: agent-id + description: 'Unique identifier of this agent (if one exists). + + Example: For Beats this would be beat.id.' + example: 8a4f500d + flat_name: agent.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique identifier of this agent. + type: keyword + agent.name: + dashed_name: agent-name + description: 'Custom name of the agent. + + This is a name that can be given to an agent. This can be helpful if for example + two Filebeat instances are running on the same host but a human readable separation + is needed on which Filebeat instance data is coming from. + + If no name is given, the name is often left empty.' + example: foo + flat_name: agent.name + ignore_above: 1024 + level: core + name: name + normalize: [] + short: Custom name of the agent. + type: keyword + agent.type: + dashed_name: agent-type + description: 'Type of the agent. + + The agent type always stays the same and should be given by the agent used. + In case of Filebeat the agent would always be Filebeat also if two Filebeat + instances are run on the same machine.' + example: filebeat + flat_name: agent.type + ignore_above: 1024 + level: core + name: type + normalize: [] + short: Type of the agent. + type: keyword + agent.version: + dashed_name: agent-version + description: Version of the agent. + example: 6.0.0-rc2 + flat_name: agent.version + ignore_above: 1024 + level: core + name: version + normalize: [] + short: Version of the agent. + type: keyword + footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. + For APM, it is the agent running in the app/service. The agent information does + not change if data is sent through queuing systems like Kafka, Redis, or processing + systems such as Logstash or APM Server.' + group: 2 + name: agent + prefix: agent. + short: Fields about the monitoring agent. + title: Agent + type: group +as: + description: An autonomous system (AS) is a collection of connected Internet Protocol + (IP) routing prefixes under the control of one or more network operators on behalf + of a single administrative entity or domain that presents a common, clearly defined + routing policy to the internet. + fields: + as.number: + dashed_name: as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: as.number + level: extended + name: number + normalize: [] + short: Unique number allocated to the autonomous system. + type: long + as.organization.name: + dashed_name: as-organization-name + description: Organization name. + example: Google LLC + flat_name: as.organization.name + level: extended + multi_fields: + - flat_name: as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + short: Organization name. + type: wildcard + group: 2 + name: as + prefix: as. + reusable: + expected: + - as: as + at: client + full: client.as + - as: as + at: destination + full: destination.as + - as: as + at: server + full: server.as + - as: as + at: source + full: source.as + top_level: false + short: Fields describing an Autonomous System (Internet routing prefix). + title: Autonomous System + type: group +base: + description: The `base` field set contains all fields which are at the root of the + events. These fields are common across all types of events. + fields: + '@timestamp': + dashed_name: -timestamp + description: 'Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events.' + example: '2016-05-23T08:05:34.853Z' + flat_name: '@timestamp' + level: core + name: '@timestamp' + normalize: [] + required: true + short: Date/time when the event originated. + type: date + labels: + dashed_name: labels + description: 'Custom key/value pairs. + + Can be used to add meta information to events. Should not contain nested objects. + All values are stored as keyword. + + Example: `docker` and `k8s` labels.' + example: '{"application": "foo-bar", "env": "production"}' + flat_name: labels + level: core + name: labels + normalize: [] + object_type: keyword + short: Custom key/value pairs. + type: object + message: + dashed_name: message + description: 'For log events the message field contains the log message, optimized + for viewing in a log viewer. + + For structured logs without an original message field, other fields can be + concatenated to form a human-readable summary of the event. + + If multiple messages exist, they can be combined into one message.' + example: Hello World + flat_name: message + level: core + name: message + normalize: [] + norms: false + short: Log message optimized for viewing in a log viewer. + type: text + tags: + dashed_name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + flat_name: tags + ignore_above: 1024 + level: core + name: tags + normalize: + - array + short: List of keywords used to tag each event. + type: keyword + group: 1 + name: base + prefix: '' + root: true + short: All fields defined directly at the root of the events. + title: Base + type: group +client: + description: 'A client is defined as the initiator of a network connection for events + regarding sessions, connections, or bidirectional flow records. + + For TCP events, the client is the initiator of the TCP connection that sends the + SYN packet(s). For other protocols, the client is generally the initiator or requestor + in the network transaction. Some systems use the term "originator" to refer the + client in TCP connections. The client fields describe details about the system + acting as the client in the network event. Client fields are usually populated + in conjunction with server fields. Client fields are generally not populated for + packet-level events. + + Client / server representations can add semantic context to an exchange, which + is helpful to visualize the data in certain situations. If your context falls + in that category, you should still ensure that source and destination are filled + appropriately.' + fields: + client.address: + dashed_name: client-address + description: 'Some event client addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: client.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + short: Client network address. + type: keyword + client.as.number: + dashed_name: client-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: client.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + client.as.organization.name: + dashed_name: client-as-organization-name + description: Organization name. + example: Google LLC + flat_name: client.as.organization.name + level: extended + multi_fields: + - flat_name: client.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard + client.bytes: + dashed_name: client-bytes + description: Bytes sent from the client to the server. + example: 184 + flat_name: client.bytes + format: bytes + level: core + name: bytes + normalize: [] + short: Bytes sent from the client to the server. + type: long + client.domain: + dashed_name: client-domain + description: Client domain. + flat_name: client.domain + level: core + name: domain + normalize: [] + short: Client domain. + type: wildcard + client.geo.city_name: + dashed_name: client-geo-city-name + description: City name. + example: Montreal + flat_name: client.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + client.geo.continent_name: + dashed_name: client-geo-continent-name + description: Name of the continent. + example: North America + flat_name: client.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + client.geo.country_iso_code: + dashed_name: client-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: client.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + client.geo.country_name: + dashed_name: client-geo-country-name + description: Country name. + example: Canada + flat_name: client.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + client.geo.location: + dashed_name: client-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: client.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + client.geo.name: + dashed_name: client-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: client.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard + client.geo.region_iso_code: + dashed_name: client-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: client.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + client.geo.region_name: + dashed_name: client-geo-region-name + description: Region name. + example: Quebec + flat_name: client.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + client.ip: + dashed_name: client-ip + description: IP address of the client (IPv4 or IPv6). + flat_name: client.ip + level: core + name: ip + normalize: [] + short: IP address of the client. + type: ip + client.mac: + dashed_name: client-mac + description: MAC address of the client. + flat_name: client.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + short: MAC address of the client. + type: keyword + client.nat.ip: + dashed_name: client-nat-ip + description: 'Translated IP of source based NAT sessions (e.g. internal client + to internet). + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: client.nat.ip + level: extended + name: nat.ip + normalize: [] + short: Client NAT ip address + type: ip + client.nat.port: + dashed_name: client-nat-port + description: 'Translated port of source based NAT sessions (e.g. internal client + to internet). + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: client.nat.port + format: string + level: extended + name: nat.port + normalize: [] + short: Client NAT port + type: long + client.packets: + dashed_name: client-packets + description: Packets sent from the client to the server. + example: 12 + flat_name: client.packets + level: core + name: packets + normalize: [] + short: Packets sent from the client to the server. + type: long + client.port: + dashed_name: client-port + description: Port of the client. + flat_name: client.port + format: string + level: core + name: port + normalize: [] + short: Port of the client. + type: long + client.registered_domain: + dashed_name: client-registered-domain + description: 'The highest registered client domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: client.registered_domain + level: extended + name: registered_domain + normalize: [] + short: The highest registered client domain, stripped of the subdomain. + type: wildcard + client.subdomain: + dashed_name: client-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: client.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword + client.top_level_domain: + dashed_name: client-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: client.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + short: The effective top level domain (com, org, net, co.uk). + type: keyword + client.user.domain: + dashed_name: client-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: client.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + client.user.email: + dashed_name: client-user-email + description: User email address. + flat_name: client.user.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard + client.user.full_name: + dashed_name: client-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: client.user.full_name + level: extended + multi_fields: + - flat_name: client.user.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard + client.user.group.domain: + dashed_name: client-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: client.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + client.user.group.id: + dashed_name: client-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: client.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + client.user.group.name: + dashed_name: client-user-group-name + description: Name of the group. + flat_name: client.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + client.user.hash: + dashed_name: client-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: client.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + client.user.id: + dashed_name: client-user-id + description: Unique identifier of the user. + flat_name: client.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + client.user.name: + dashed_name: client-user-name + description: Short name or login of the user. + example: albert + flat_name: client.user.name + level: core + multi_fields: + - flat_name: client.user.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard + client.user.roles: + dashed_name: client-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: client.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword + group: 2 + name: client + nestings: + - client.as + - client.geo + - client.user + prefix: client. + reused_here: + - full: client.as + schema_name: as + short: Fields describing an Autonomous System (Internet routing prefix). + - full: client.geo + schema_name: geo + short: Fields describing a location. + - full: client.user + schema_name: user + short: Fields to describe the user relevant to the event. + short: Fields about the client side of a network connection, used with server. + title: Client + type: group +cloud: + description: Fields related to the cloud or infrastructure the events are coming + from. + fields: + cloud.account.id: + dashed_name: cloud-account-id + description: 'The cloud account or organization id used to identify different + entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + flat_name: cloud.account.id + ignore_above: 1024 + level: extended + name: account.id + normalize: [] + short: The cloud account or organization id. + type: keyword + cloud.account.name: + dashed_name: cloud-account-name + description: 'The cloud account name or alias used to identify different entities + in a multi-tenant environment. + + Examples: AWS account name, Google Cloud ORG display name.' + example: elastic-dev + flat_name: cloud.account.name + ignore_above: 1024 + level: extended + name: account.name + normalize: [] + short: The cloud account name. + type: keyword + cloud.availability_zone: + dashed_name: cloud-availability-zone + description: Availability zone in which this host is running. + example: us-east-1c + flat_name: cloud.availability_zone + ignore_above: 1024 + level: extended + name: availability_zone + normalize: [] + short: Availability zone in which this host is running. + type: keyword + cloud.instance.id: + dashed_name: cloud-instance-id + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + flat_name: cloud.instance.id + ignore_above: 1024 + level: extended + name: instance.id + normalize: [] + short: Instance ID of the host machine. + type: keyword + cloud.instance.name: + dashed_name: cloud-instance-name + description: Instance name of the host machine. + flat_name: cloud.instance.name + ignore_above: 1024 + level: extended + name: instance.name + normalize: [] + short: Instance name of the host machine. + type: keyword + cloud.machine.type: + dashed_name: cloud-machine-type + description: Machine type of the host machine. + example: t2.medium + flat_name: cloud.machine.type + ignore_above: 1024 + level: extended + name: machine.type + normalize: [] + short: Machine type of the host machine. + type: keyword + cloud.project.id: + dashed_name: cloud-project-id + description: 'The cloud project identifier. + + Examples: Google Cloud Project id, Azure Project id.' + example: my-project + flat_name: cloud.project.id + ignore_above: 1024 + level: extended + name: project.id + normalize: [] + short: The cloud project id. + type: keyword + cloud.project.name: + dashed_name: cloud-project-name + description: 'The cloud project name. + + Examples: Google Cloud Project name, Azure Project name.' + example: my project + flat_name: cloud.project.name + ignore_above: 1024 + level: extended + name: project.name + normalize: [] + short: The cloud project name. + type: keyword + cloud.provider: + dashed_name: cloud-provider + description: Name of the cloud provider. Example values are aws, azure, gcp, + or digitalocean. + example: aws + flat_name: cloud.provider + ignore_above: 1024 + level: extended + name: provider + normalize: [] + short: Name of the cloud provider. + type: keyword + cloud.region: + dashed_name: cloud-region + description: Region in which this host is running. + example: us-east-1 + flat_name: cloud.region + ignore_above: 1024 + level: extended + name: region + normalize: [] + short: Region in which this host is running. + type: keyword + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from + its host, the cloud info contains the data about this machine. If Metricbeat runs + on a remote machine outside the cloud and fetches data from a service running + in the cloud, the field contains cloud data from the machine the service is running + on.' + group: 2 + name: cloud + prefix: cloud. + short: Fields about the cloud resource. + title: Cloud + type: group +code_signature: + description: These fields contain information about binary code signatures. + fields: + code_signature.exists: + dashed_name: code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: code_signature.exists + level: core + name: exists + normalize: [] + short: Boolean to capture if a signature is present. + type: boolean + code_signature.status: + dashed_name: code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + short: Additional information about the certificate status. + type: keyword + code_signature.subject_name: + dashed_name: code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + short: Subject name of the code signer + type: keyword + code_signature.trusted: + dashed_name: code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: code_signature.trusted + level: extended + name: trusted + normalize: [] + short: Stores the trust status of the certificate chain. + type: boolean + code_signature.valid: + dashed_name: code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: code_signature.valid + level: extended + name: valid + normalize: [] + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + group: 2 + name: code_signature + prefix: code_signature. + reusable: + expected: + - as: code_signature + at: file + full: file.code_signature + - as: code_signature + at: process + full: process.code_signature + - as: code_signature + at: dll + full: dll.code_signature + top_level: false + short: These fields contain information about binary code signatures. + title: Code Signature + type: group +container: + description: 'Container fields are used for meta information about the specific + container that is the source of information. + + These fields help correlate data based containers from any runtime.' + fields: + container.id: + dashed_name: container-id + description: Unique container id. + flat_name: container.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique container id. + type: keyword + container.image.name: + dashed_name: container-image-name + description: Name of the image the container was built on. + flat_name: container.image.name + ignore_above: 1024 + level: extended + name: image.name + normalize: [] + short: Name of the image the container was built on. + type: keyword + container.image.tag: + dashed_name: container-image-tag + description: Container image tags. + flat_name: container.image.tag + ignore_above: 1024 + level: extended + name: image.tag + normalize: + - array + short: Container image tags. + type: keyword + container.labels: + dashed_name: container-labels + description: Image labels. + flat_name: container.labels + level: extended + name: labels + normalize: [] + object_type: keyword + short: Image labels. + type: object + container.name: + dashed_name: container-name + description: Container name. + flat_name: container.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Container name. + type: keyword + container.runtime: + dashed_name: container-runtime + description: Runtime managing this container. + example: docker + flat_name: container.runtime + ignore_above: 1024 + level: extended + name: runtime + normalize: [] + short: Runtime managing this container. + type: keyword + group: 2 + name: container + prefix: container. + short: Fields describing the container that generated this event. + title: Container + type: group +destination: + description: 'Destination fields capture details about the receiver of a network + exchange/packet. These fields are populated from a network event, packet, or other + event containing details of a network transaction. + + Destination fields are usually populated in conjunction with source fields. The + source and destination fields are considered the baseline and should always be + filled if an event contains source and destination details from a network transaction. + If the event also contains identification of the client and server roles, then + the client and server fields should also be populated.' + fields: + destination.address: + dashed_name: destination-address + description: 'Some event destination addresses are defined ambiguously. The + event will sometimes list an IP, a domain or a unix socket. You should always + store the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: destination.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + short: Destination network address. + type: keyword + destination.as.number: + dashed_name: destination-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: destination.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + destination.as.organization.name: + dashed_name: destination-as-organization-name + description: Organization name. + example: Google LLC + flat_name: destination.as.organization.name + level: extended + multi_fields: + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard + destination.bytes: + dashed_name: destination-bytes + description: Bytes sent from the destination to the source. + example: 184 + flat_name: destination.bytes + format: bytes + level: core + name: bytes + normalize: [] + short: Bytes sent from the destination to the source. + type: long + destination.domain: + dashed_name: destination-domain + description: Destination domain. + flat_name: destination.domain + level: core + name: domain + normalize: [] + short: Destination domain. + type: wildcard + destination.geo.city_name: + dashed_name: destination-geo-city-name + description: City name. + example: Montreal + flat_name: destination.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + destination.geo.continent_name: + dashed_name: destination-geo-continent-name + description: Name of the continent. + example: North America + flat_name: destination.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + destination.geo.country_iso_code: + dashed_name: destination-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: destination.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + destination.geo.country_name: + dashed_name: destination-geo-country-name + description: Country name. + example: Canada + flat_name: destination.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + destination.geo.location: + dashed_name: destination-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: destination.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + destination.geo.name: + dashed_name: destination-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: destination.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard + destination.geo.region_iso_code: + dashed_name: destination-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: destination.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + destination.geo.region_name: + dashed_name: destination-geo-region-name + description: Region name. + example: Quebec + flat_name: destination.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + destination.ip: + dashed_name: destination-ip + description: IP address of the destination (IPv4 or IPv6). + flat_name: destination.ip + level: core + name: ip + normalize: [] + short: IP address of the destination. + type: ip + destination.mac: + dashed_name: destination-mac + description: MAC address of the destination. + flat_name: destination.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + short: MAC address of the destination. + type: keyword + destination.nat.ip: + dashed_name: destination-nat-ip + description: 'Translated ip of destination based NAT sessions (e.g. internet + to private DMZ) + + Typically used with load balancers, firewalls, or routers.' + flat_name: destination.nat.ip + level: extended + name: nat.ip + normalize: [] + short: Destination NAT ip + type: ip + destination.nat.port: + dashed_name: destination-nat-port + description: 'Port the source session is translated to by NAT Device. + + Typically used with load balancers, firewalls, or routers.' + flat_name: destination.nat.port + format: string + level: extended + name: nat.port + normalize: [] + short: Destination NAT Port + type: long + destination.packets: + dashed_name: destination-packets + description: Packets sent from the destination to the source. + example: 12 + flat_name: destination.packets + level: core + name: packets + normalize: [] + short: Packets sent from the destination to the source. + type: long + destination.port: + dashed_name: destination-port + description: Port of the destination. + flat_name: destination.port + format: string + level: core + name: port + normalize: [] + short: Port of the destination. + type: long + destination.registered_domain: + dashed_name: destination-registered-domain + description: 'The highest registered destination domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: destination.registered_domain + level: extended + name: registered_domain + normalize: [] + short: The highest registered destination domain, stripped of the subdomain. + type: wildcard + destination.subdomain: + dashed_name: destination-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: destination.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword + destination.top_level_domain: + dashed_name: destination-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: destination.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + short: The effective top level domain (com, org, net, co.uk). + type: keyword + destination.user.domain: + dashed_name: destination-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: destination.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + destination.user.email: + dashed_name: destination-user-email + description: User email address. + flat_name: destination.user.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard + destination.user.full_name: + dashed_name: destination-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: destination.user.full_name + level: extended + multi_fields: + - flat_name: destination.user.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard + destination.user.group.domain: + dashed_name: destination-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: destination.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + destination.user.group.id: + dashed_name: destination-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: destination.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + destination.user.group.name: + dashed_name: destination-user-group-name + description: Name of the group. + flat_name: destination.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + destination.user.hash: + dashed_name: destination-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: destination.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + destination.user.id: + dashed_name: destination-user-id + description: Unique identifier of the user. + flat_name: destination.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + destination.user.name: + dashed_name: destination-user-name + description: Short name or login of the user. + example: albert + flat_name: destination.user.name + level: core + multi_fields: + - flat_name: destination.user.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard + destination.user.roles: + dashed_name: destination-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: destination.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword + group: 2 + name: destination + nestings: + - destination.as + - destination.geo + - destination.user + prefix: destination. + reused_here: + - full: destination.as + schema_name: as + short: Fields describing an Autonomous System (Internet routing prefix). + - full: destination.geo + schema_name: geo + short: Fields describing a location. + - full: destination.user + schema_name: user + short: Fields to describe the user relevant to the event. + short: Fields about the destination side of a network connection, used with source. + title: Destination + type: group +dll: + description: 'These fields contain information about code libraries dynamically + loaded into processes. + + + Many operating systems refer to "shared code libraries" with different names, + but this field set refers to all of the following: + + * Dynamic-link library (`.dll`) commonly used on Windows + + * Shared Object (`.so`) commonly used on Unix-like operating systems + + * Dynamic library (`.dylib`) commonly used on macOS' + fields: + dll.code_signature.exists: + dashed_name: dll-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: dll.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + dll.code_signature.status: + dashed_name: dll-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: dll.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + dll.code_signature.subject_name: + dashed_name: dll-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: dll.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + dll.code_signature.trusted: + dashed_name: dll-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: dll.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + dll.code_signature.valid: + dashed_name: dll-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: dll.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + dll.hash.md5: + dashed_name: dll-hash-md5 + description: MD5 hash. + flat_name: dll.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + dll.hash.sha1: + dashed_name: dll-hash-sha1 + description: SHA1 hash. + flat_name: dll.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + dll.hash.sha256: + dashed_name: dll-hash-sha256 + description: SHA256 hash. + flat_name: dll.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + dll.hash.sha512: + dashed_name: dll-hash-sha512 + description: SHA512 hash. + flat_name: dll.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + dll.name: + dashed_name: dll-name + description: 'Name of the library. + + This generally maps to the name of the file on disk.' + example: kernel32.dll + flat_name: dll.name + ignore_above: 1024 + level: core + name: name + normalize: [] + short: Name of the library. + type: keyword + dll.path: + dashed_name: dll-path + description: Full file path of the library. + example: C:\Windows\System32\kernel32.dll + flat_name: dll.path + ignore_above: 1024 + level: extended + name: path + normalize: [] + short: Full file path of the library. + type: keyword + dll.pe.architecture: + dashed_name: dll-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: dll.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + dll.pe.company: + dashed_name: dll-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: dll.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + dll.pe.description: + dashed_name: dll-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: dll.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + dll.pe.file_version: + dashed_name: dll-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: dll.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + dll.pe.imphash: + dashed_name: dll-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: dll.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + dll.pe.original_file_name: + dashed_name: dll-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: dll.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard + dll.pe.product: + dashed_name: dll-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: dll.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + group: 2 + name: dll + nestings: + - dll.code_signature + - dll.hash + - dll.pe + prefix: dll. + reused_here: + - full: dll.code_signature + schema_name: code_signature + short: These fields contain information about binary code signatures. + - full: dll.hash + schema_name: hash + short: Hashes, usually file hashes. + - full: dll.pe + schema_name: pe + short: These fields contain Windows Portable Executable (PE) metadata. + short: These fields contain information about code libraries dynamically loaded + into processes. + title: DLL + type: group +dns: + description: 'Fields describing DNS queries and answers. + + DNS events should either represent a single DNS query prior to getting answers + (`dns.type:query`) or they should represent a full exchange and contain the query + details as well as all of the answers that were provided for this query (`dns.type:answer`).' + fields: + dns.answers.class: + dashed_name: dns-answers-class + description: The class of DNS data contained in this resource record. + example: IN + flat_name: dns.answers.class + ignore_above: 1024 + level: extended + name: answers.class + normalize: [] + short: The class of DNS data contained in this resource record. + type: keyword + dns.answers.data: + dashed_name: dns-answers-data + description: 'The data describing the resource. + + The meaning of this data depends on the type and class of the resource record.' + example: 10.10.10.10 + flat_name: dns.answers.data + level: extended + name: answers.data + normalize: [] + short: The data describing the resource. + type: wildcard + dns.answers.name: + dashed_name: dns-answers-name + description: 'The domain name to which this resource record pertains. + + If a chain of CNAME is being resolved, each answer''s `name` should be the + one that corresponds with the answer''s `data`. It should not simply be the + original `question.name` repeated.' + example: www.example.com + flat_name: dns.answers.name + ignore_above: 1024 + level: extended + name: answers.name + normalize: [] + short: The domain name to which this resource record pertains. + type: keyword + dns.answers.ttl: + dashed_name: dns-answers-ttl + description: The time interval in seconds that this resource record may be cached + before it should be discarded. Zero values mean that the data should not be + cached. + example: 180 + flat_name: dns.answers.ttl + level: extended + name: answers.ttl + normalize: [] + short: The time interval in seconds that this resource record may be cached + before it should be discarded. + type: long + dns.answers.type: + dashed_name: dns-answers-type + description: The type of data contained in this resource record. + example: CNAME + flat_name: dns.answers.type + ignore_above: 1024 + level: extended + name: answers.type + normalize: [] + short: The type of data contained in this resource record. + type: keyword + dns.header_flags: + dashed_name: dns-header-flags + description: 'Array of 2 letter DNS header flags. + + Expected values are: AA, TC, RD, RA, AD, CD, DO.' + example: '["RD", "RA"]' + flat_name: dns.header_flags + ignore_above: 1024 + level: extended + name: header_flags + normalize: + - array + short: Array of DNS header flags. + type: keyword + dns.id: + dashed_name: dns-id + description: The DNS packet identifier assigned by the program that generated + the query. The identifier is copied to the response. + example: 62111 + flat_name: dns.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + short: The DNS packet identifier assigned by the program that generated the + query. The identifier is copied to the response. + type: keyword + dns.op_code: + dashed_name: dns-op-code + description: The DNS operation code that specifies the kind of query in the + message. This value is set by the originator of a query and copied into the + response. + example: QUERY + flat_name: dns.op_code + ignore_above: 1024 + level: extended + name: op_code + normalize: [] + short: The DNS operation code that specifies the kind of query in the message. + type: keyword + dns.question.class: + dashed_name: dns-question-class + description: The class of records being queried. + example: IN + flat_name: dns.question.class + ignore_above: 1024 + level: extended + name: question.class + normalize: [] + short: The class of records being queried. + type: keyword + dns.question.name: + dashed_name: dns-question-name + description: 'The name being queried. + + If the name field contains non-printable characters (below 32 or above 126), + those characters should be represented as escaped base 10 integers (\DDD). + Back slashes and quotes should be escaped. Tabs, carriage returns, and line + feeds should be converted to \t, \r, and \n respectively.' + example: www.example.com + flat_name: dns.question.name + level: extended + name: question.name + normalize: [] + short: The name being queried. + type: wildcard + dns.question.registered_domain: + dashed_name: dns-question-registered-domain + description: 'The highest registered domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: dns.question.registered_domain + ignore_above: 1024 + level: extended + name: question.registered_domain + normalize: [] + short: The highest registered domain, stripped of the subdomain. + type: keyword + dns.question.subdomain: + dashed_name: dns-question-subdomain + description: 'The subdomain is all of the labels under the registered_domain. + + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: www + flat_name: dns.question.subdomain + ignore_above: 1024 + level: extended + name: question.subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword + dns.question.top_level_domain: + dashed_name: dns-question-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: dns.question.top_level_domain + ignore_above: 1024 + level: extended + name: question.top_level_domain + normalize: [] + short: The effective top level domain (com, org, net, co.uk). + type: keyword + dns.question.type: + dashed_name: dns-question-type + description: The type of record being queried. + example: AAAA + flat_name: dns.question.type + ignore_above: 1024 + level: extended + name: question.type + normalize: [] + short: The type of record being queried. + type: keyword + dns.resolved_ip: + dashed_name: dns-resolved-ip + description: 'Array containing all IPs seen in `answers.data`. + + The `answers` array can be difficult to use, because of the variety of data + formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` + makes it possible to index them as IP addresses, and makes them easier to + visualize and query for.' + example: '["10.10.10.10", "10.10.10.11"]' + flat_name: dns.resolved_ip + level: extended + name: resolved_ip + normalize: + - array + short: Array containing all IPs seen in answers.data + type: ip + dns.response_code: + dashed_name: dns-response-code + description: The DNS response code. + example: NOERROR + flat_name: dns.response_code + ignore_above: 1024 + level: extended + name: response_code + normalize: [] + short: The DNS response code. + type: keyword + dns.type: + dashed_name: dns-type + description: 'The type of DNS event captured, query or answer. + + If your source of DNS events only gives you DNS queries, you should only create + dns events of type `dns.type:query`. + + If your source of DNS events gives you answers as well, you should create + one event per query (optionally as soon as the query is seen). And a second + event containing all query details as well as an array of answers.' + example: answer + flat_name: dns.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + short: The type of DNS event captured, query or answer. + type: keyword + group: 2 + name: dns + prefix: dns. + short: Fields describing DNS queries and answers. + title: DNS + type: group +ecs: + description: Meta-information specific to ECS. + fields: + ecs.version: + dashed_name: ecs-version + description: 'ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events.' + example: 1.0.0 + flat_name: ecs.version + ignore_above: 1024 + level: core + name: version + normalize: [] + required: true + short: ECS version this event conforms to. + type: keyword + group: 2 + name: ecs + prefix: ecs. + short: Meta-information specific to ECS. + title: ECS + type: group +error: + description: 'These fields can represent errors of any kind. + + Use them for errors that happen while fetching events or in cases where the event + itself contains an error.' + fields: + error.code: + dashed_name: error-code + description: Error code describing the error. + flat_name: error.code + ignore_above: 1024 + level: core + name: code + normalize: [] + short: Error code describing the error. + type: keyword + error.id: + dashed_name: error-id + description: Unique identifier for the error. + flat_name: error.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique identifier for the error. + type: keyword + error.message: + dashed_name: error-message + description: Error message. + flat_name: error.message + level: core + name: message + normalize: [] + norms: false + short: Error message. + type: text + error.stack_trace: + dashed_name: error-stack-trace + description: The stack trace of this error in plain text. + flat_name: error.stack_trace + index: true + level: extended + multi_fields: + - flat_name: error.stack_trace.text + name: text + norms: false + type: text + name: stack_trace + normalize: [] + short: The stack trace of this error in plain text. + type: wildcard + error.type: + dashed_name: error-type + description: The type of the error, for example the class name of the exception. + example: java.lang.NullPointerException + flat_name: error.type + level: extended + name: type + normalize: [] + short: The type of the error, for example the class name of the exception. + type: wildcard + group: 2 + name: error + prefix: error. + short: Fields about errors of any kind. + title: Error + type: group +event: + description: 'The event fields are used for context information about the log or + metric event itself. + + A log is defined as an event containing details of something that happened. Log + events must include the time at which the thing happened. Examples of log events + include a process starting on a host, a network packet being sent from a source + to a destination, or a network connection between a client and a server being + initiated or closed. A metric is defined as an event containing one or more numerical + measurements and the time at which the measurement was taken. Examples of metric + events include memory pressure measured on a host and device temperature. See + the `event.kind` definition in this section for additional details about metric + and state events.' + fields: + event.action: + dashed_name: event-action + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + flat_name: event.action + ignore_above: 1024 + level: core + name: action + normalize: [] + short: The action captured by the event. + type: keyword + event.category: + allowed_values: + - description: Events in this category are related to the challenge and response + process in which credentials are supplied and verified to allow the creation + of a session. Common sources for these logs are Windows event logs and ssh + logs. Visualize and analyze events in this category to look for failed logins, + and other authentication-related activity. + expected_event_types: + - start + - end + - info + name: authentication + - description: 'Events in the configuration category have to deal with creating, + modifying, or deleting the settings or parameters of an application, process, + or system. + + Example sources include security policy change logs, configuration auditing + logging, and system integrity monitoring.' + expected_event_types: + - access + - change + - creation + - deletion + - info + name: configuration + - description: The database category denotes events and metrics relating to + a data storage and retrieval system. Note that use of this category is not + limited to relational database systems. Examples include event logs from + MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize + and analyze database activity such as accesses and changes. + expected_event_types: + - access + - change + - info + - error + name: database + - description: 'Events in the driver category have to do with operating system + device drivers and similar software entities such as Windows drivers, kernel + extensions, kernel modules, etc. + + Use events and metrics in this category to visualize and analyze driver-related + activity and status on hosts.' + expected_event_types: + - change + - end + - info + - start + name: driver + - description: Relating to a set of information that has been created on, or + has existed on a filesystem. Use this category of events to visualize and + analyze the creation, access, and deletions of files. Events in this category + can come from both host-based and network-based sources. An example source + of a network-based detection of a file transfer would be the Zeek file.log. + expected_event_types: + - change + - creation + - deletion + - info + name: file + - description: 'Use this category to visualize and analyze information such + as host inventory or host lifecycle events. + + Most of the events in this category can usually be observed from the outside, + such as from a hypervisor or a control plane''s point of view. Some can + also be seen from within, such as "start" or "end". + + Note that this category is for information about hosts themselves; it is + not meant to capture activity "happening on a host".' + expected_event_types: + - access + - change + - end + - info + - start + name: host + - description: Identity and access management (IAM) events relating to users, + groups, and administration. Use this category to visualize and analyze IAM-related + logs and data from active directory, LDAP, Okta, Duo, and other IAM systems. + expected_event_types: + - admin + - change + - creation + - deletion + - group + - info + - user + name: iam + - description: Relating to intrusion detections from IDS/IPS systems and functions, + both network and host-based. Use this category to visualize and analyze + intrusion detection alerts from systems such as Snort, Suricata, and Palo + Alto threat detections. + expected_event_types: + - allowed + - denied + - info + name: intrusion_detection + - description: Malware detection events and alerts. Use this category to visualize + and analyze malware detections from EDR/EPP systems such as Elastic Endpoint + Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS + systems such as Suricata, or other sources of malware-related events such + as Palo Alto Networks threat logs and Wildfire logs. + expected_event_types: + - info + name: malware + - description: Relating to all network activity, including network connection + lifecycle, network traffic, and essentially any event that includes an IP + address. Many events containing decoded network protocol transactions fit + into this category. Use events in this category to visualize or analyze + counts of network ports, protocols, addresses, geolocation information, + etc. + expected_event_types: + - access + - allowed + - connection + - denied + - end + - info + - protocol + - start + name: network + - description: Relating to software packages installed on hosts. Use this category + to visualize and analyze inventory of software installed on various hosts, + or to determine host vulnerability in the absence of vulnerability scan + data. + expected_event_types: + - access + - change + - deletion + - info + - installation + - start + name: package + - description: Use this category of events to visualize and analyze process-specific + information such as lifecycle events or process ancestry. + expected_event_types: + - access + - change + - end + - info + - start + name: process + - description: 'Relating to web server access. Use this category to create a + dashboard of web server/proxy activity from apache, IIS, nginx web servers, + etc. Note: events from network observers such as Zeek http log may also + be included in this category.' + expected_event_types: + - access + - error + - info + name: web + dashed_name: event-category + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + flat_name: event.category + ignore_above: 1024 + level: core + name: category + normalize: + - array + short: Event category. The second categorization field in the hierarchy. + type: keyword + event.code: + dashed_name: event-code + description: 'Identification code for this event, if one exists. + + Some event sources use event codes to identify messages unambiguously, regardless + of message language or wording adjustments over time. An example of this is + the Windows Event ID.' + example: 4648 + flat_name: event.code + ignore_above: 1024 + level: extended + name: code + normalize: [] + short: Identification code for this event. + type: keyword + event.created: + dashed_name: event-created + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + flat_name: event.created + level: core + name: created + normalize: [] + short: Time when the event was first read by an agent or by your pipeline. + type: date + event.dataset: + dashed_name: event-dataset + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + flat_name: event.dataset + ignore_above: 1024 + level: core + name: dataset + normalize: [] + short: Name of the dataset. + type: keyword + event.duration: + dashed_name: event-duration + description: 'Duration of the event in nanoseconds. + + If event.start and event.end are known this value should be the difference + between the end and start time.' + flat_name: event.duration + format: duration + input_format: nanoseconds + level: core + name: duration + normalize: [] + output_format: asMilliseconds + output_precision: 1 + short: Duration of the event in nanoseconds. + type: long + event.end: + dashed_name: event-end + description: event.end contains the date when the event ended or when the activity + was last observed. + flat_name: event.end + level: extended + name: end + normalize: [] + short: event.end contains the date when the event ended or when the activity + was last observed. + type: date + event.hash: + dashed_name: event-hash + description: Hash (perhaps logstash fingerprint) of raw field to be able to + demonstrate log integrity. + example: 123456789012345678901234567890ABCD + flat_name: event.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate + log integrity. + type: keyword + event.id: + dashed_name: event-id + description: Unique ID to describe the event. + example: 8a4f500d + flat_name: event.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique ID to describe the event. + type: keyword + event.ingested: + dashed_name: event-ingested + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s + also different from `event.created`, which is meant to capture the first time + an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically + look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + flat_name: event.ingested + level: core + name: ingested + normalize: [] + short: Timestamp when an event arrived in the central data store. + type: date + event.kind: + allowed_values: + - description: 'This value indicates an event that describes an alert or notable + event, triggered by a detection rule. + + `event.kind:alert` is often populated for events coming from firewalls, + intrusion detection systems, endpoint detection and response systems, and + so on.' + name: alert + - description: This value is the most general and most common value for this + field. It is used to represent events that indicate that something happened. + name: event + - description: 'This value is used to indicate that this event describes a numeric + measurement taken at given point in time. + + Examples include CPU utilization, memory usage, or device temperature. + + Metric events are often collected on a predictable frequency, such as once + every few seconds, or once a minute, but can also be used to describe ad-hoc + numeric metric queries.' + name: metric + - description: 'The state value is similar to metric, indicating that this event + describes a measurement taken at given point in time, except that the measurement + does not result in a numeric value, but rather one of a fixed set of categorical + values that represent conditions or states. + + Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), + the state of a TCP connection (open, closed, fin_wait, etc.), the state + of a host with respect to a software vulnerability (vulnerable, not vulnerable), + and the state of a system regarding compliance with a regulatory standard + (compliant, not compliant). + + Note that an event that describes a change of state would not use `event.kind:state`, + but instead would use ''event.kind:event'' since a state change fits the + more general event definition of something that happened. + + State events are often collected on a predictable frequency, such as once + every few seconds, once a minute, once an hour, or once a day, but can also + be used to describe ad-hoc state queries.' + name: state + - description: This value indicates that an error occurred during the ingestion + of this event, and that event data may be missing, inconsistent, or incorrect. + `event.kind:pipeline_error` is often associated with parsing errors. + name: pipeline_error + - description: 'This value is used by the Elastic SIEM app to denote an Elasticsearch + document that was created by a SIEM detection engine rule. + + A signal will typically trigger a notification that something meaningful + happened and should be investigated. + + Usage of this value is reserved, and pipelines should not populate `event.kind` + with the value "signal".' + name: signal + dashed_name: event-kind + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + flat_name: event.kind + ignore_above: 1024 + level: core + name: kind + normalize: [] + short: The kind of the event. The highest categorization field in the hierarchy. + type: keyword + event.module: + dashed_name: event-module + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + flat_name: event.module + ignore_above: 1024 + level: core + name: module + normalize: [] + short: Name of the module this data is coming from. + type: keyword + event.original: + dashed_name: event-original + description: 'Raw text message of entire event. Used to demonstrate log integrity. + + This field is not indexed and doc_values are disabled. It cannot be searched, + but it can be retrieved from `_source`.' + doc_values: false + example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| + worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + flat_name: event.original + index: false + level: core + name: original + normalize: [] + short: Raw text message of entire event. + type: wildcard + event.outcome: + allowed_values: + - description: Indicates that this event describes a failed result. A common + example is `event.category:file AND event.type:access AND event.outcome:failure` + to indicate that a file access was attempted, but was not successful. + name: failure + - description: Indicates that this event describes a successful result. A common + example is `event.category:file AND event.type:create AND event.outcome:success` + to indicate that a file was successfully created. + name: success + - description: Indicates that this event describes only an attempt for which + the result is unknown from the perspective of the event producer. For example, + if the event contains information only about the request side of a transaction + that results in a response, populating `event.outcome:unknown` in the request + event is appropriate. The unknown value should not be used when an outcome + doesn't make logical sense for the event. In such cases `event.outcome` + should not be populated. + name: unknown + dashed_name: event-outcome + description: 'This is one of four ECS Categorization Fields, and indicates the + lowest level in the ECS category hierarchy. + + `event.outcome` simply denotes whether the event represents a success or a + failure from the perspective of the entity that produced the event. + + Note that when a single transaction is described in multiple events, each + event may populate different values of `event.outcome`, according to their + perspective. + + Also note that in the case of a compound event (a single event that contains + multiple logical events), this field should be populated with the value that + best captures the overall success or failure from the perspective of the event + producer. + + Further note that not all events will have an associated outcome. For example, + this field is generally not populated for metric events, events with `event.type:info`, + or any events for which an outcome does not make logical sense.' + example: success + flat_name: event.outcome + ignore_above: 1024 + level: core + name: outcome + normalize: [] + short: The outcome of the event. The lowest level categorization field in the + hierarchy. + type: keyword + event.provider: + dashed_name: event-provider + description: 'Source of the event. + + Event transports such as Syslog or the Windows Event Log typically mention + the source of an event. It can be the name of the software that generated + the event (e.g. Sysmon, httpd), or of a subsystem of the operating system + (kernel, Microsoft-Windows-Security-Auditing).' + example: kernel + flat_name: event.provider + ignore_above: 1024 + level: extended + name: provider + normalize: [] + short: Source of the event. + type: keyword + event.reason: + dashed_name: event-reason + description: 'Reason why this event happened, according to the source. + + This describes the why of a particular action or outcome captured in the event. + Where `event.action` captures the action from the event, `event.reason` describes + why that action was taken. For example, a web proxy with an `event.action` + which denied the request may also populate `event.reason` with the reason + why (e.g. `blocked site`).' + example: Terminated an unexpected process + flat_name: event.reason + ignore_above: 1024 + level: extended + name: reason + normalize: [] + short: Reason why this event happened, according to the source + type: keyword + event.reference: + dashed_name: event-reference + description: 'Reference URL linking to additional information about this event. + + This URL links to a static definition of the this event. Alert events, indicated + by `event.kind:alert`, are a common use case for this field.' + example: https://system.example.com/event/#0001234 + flat_name: event.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + short: Event reference URL + type: keyword + event.risk_score: + dashed_name: event-risk-score + description: Risk score or priority of the event (e.g. security solutions). + Use your system's original value here. + flat_name: event.risk_score + level: core + name: risk_score + normalize: [] + short: Risk score or priority of the event (e.g. security solutions). Use your + system's original value here. + type: float + event.risk_score_norm: + dashed_name: event-risk-score-norm + description: 'Normalized risk score or priority of the event, on a scale of + 0 to 100. + + This is mainly useful if you use more than one system that assigns risk scores, + and you want to see a normalized value across all systems.' + flat_name: event.risk_score_norm + level: extended + name: risk_score_norm + normalize: [] + short: Normalized risk score or priority of the event (0-100). + type: float + event.sequence: + dashed_name: event-sequence + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision.' + flat_name: event.sequence + format: string + level: extended + name: sequence + normalize: [] + short: Sequence number of the event. + type: long + event.severity: + dashed_name: event-severity + description: 'The numeric severity of the event according to your event source. + + What the different severity values mean can be different between sources and + use cases. It''s up to the implementer to make sure severities are consistent + across events from the same source. + + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` + is meant to represent the severity according to the event source (e.g. firewall, + IDS). If the event source does not publish its own severity, you may optionally + copy the `log.syslog.severity.code` to `event.severity`.' + example: 7 + flat_name: event.severity + format: string + level: core + name: severity + normalize: [] + short: Numeric severity of the event. + type: long + event.start: + dashed_name: event-start + description: event.start contains the date when the event started or when the + activity was first observed. + flat_name: event.start + level: extended + name: start + normalize: [] + short: event.start contains the date when the event started or when the activity + was first observed. + type: date + event.timezone: + dashed_name: event-timezone + description: 'This field should be populated when the event''s timestamp does + not include timezone information already (e.g. default Syslog timestamps). + It''s optional otherwise. + + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), + abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + flat_name: event.timezone + ignore_above: 1024 + level: extended + name: timezone + normalize: [] + short: Event time zone. + type: keyword + event.type: + allowed_values: + - description: The access event type is used for the subset of events within + a category that indicate that something was accessed. Common examples include + `event.category:database AND event.type:access`, or `event.category:file + AND event.type:access`. Note for file access, both directory listings and + file opens should be included in this subcategory. You can further distinguish + access operations using the ECS `event.action` field. + name: access + - description: 'The admin event type is used for the subset of events within + a category that are related to admin objects. For example, administrative + changes within an IAM framework that do not specifically affect a user or + group (e.g., adding new applications to a federation solution or connecting + discrete forests in Active Directory) would fall into this subcategory. + Common example: `event.category:iam AND event.type:change AND event.type:admin`. + You can further distinguish admin operations using the ECS `event.action` + field.' + name: admin + - description: The allowed event type is used for the subset of events within + a category that indicate that something was allowed. Common examples include + `event.category:network AND event.type:connection AND event.type:allowed` + (to indicate a network firewall event for which the firewall disposition + was to allow the connection to complete) and `event.category:intrusion_detection + AND event.type:allowed` (to indicate a network intrusion prevention system + event for which the IPS disposition was to allow the connection to complete). + You can further distinguish allowed operations using the ECS `event.action` + field, populating with values of your choosing, such as "allow", "detect", + or "pass". + name: allowed + - description: The change event type is used for the subset of events within + a category that indicate that something has changed. If semantics best describe + an event as modified, then include them in this subcategory. Common examples + include `event.category:process AND event.type:change`, and `event.category:file + AND event.type:change`. You can further distinguish change operations using + the ECS `event.action` field. + name: change + - description: Used primarily with `event.category:network` this value is used + for the subset of network traffic that includes sufficient information for + the event to be included in flow or connection analysis. Events in this + subcategory will contain at least source and destination IP addresses, source + and destination TCP/UDP ports, and will usually contain counts of bytes + and/or packets transferred. Events in this subcategory may contain unidirectional + or bidirectional information, including summary information. Use this subcategory + to visualize and analyze network connections. Flow analysis, including Netflow, + IPFIX, and other flow-related events fit in this subcategory. Note that + firewall events from many Next-Generation Firewall (NGFW) devices will also + fit into this subcategory. A common filter for flow/connection information + would be `event.category:network AND event.type:connection AND event.type:end` + (to view or analyze all completed network connections, ignoring mid-flow + reports). You can further distinguish connection events using the ECS `event.action` + field, populating with values of your choosing, such as "timeout", or "reset". + name: connection + - description: The "creation" event type is used for the subset of events within + a category that indicate that something was created. A common example is + `event.category:file AND event.type:creation`. + name: creation + - description: The deletion event type is used for the subset of events within + a category that indicate that something was deleted. A common example is + `event.category:file AND event.type:deletion` to indicate that a file has + been deleted. + name: deletion + - description: The denied event type is used for the subset of events within + a category that indicate that something was denied. Common examples include + `event.category:network AND event.type:denied` (to indicate a network firewall + event for which the firewall disposition was to deny the connection) and + `event.category:intrusion_detection AND event.type:denied` (to indicate + a network intrusion prevention system event for which the IPS disposition + was to deny the connection to complete). You can further distinguish denied + operations using the ECS `event.action` field, populating with values of + your choosing, such as "blocked", "dropped", or "quarantined". + name: denied + - description: The end event type is used for the subset of events within a + category that indicate something has ended. A common example is `event.category:process + AND event.type:end`. + name: end + - description: The error event type is used for the subset of events within + a category that indicate or describe an error. A common example is `event.category:database + AND event.type:error`. Note that pipeline errors that occur during the event + ingestion process should not use this `event.type` value. Instead, they + should use `event.kind:pipeline_error`. + name: error + - description: 'The group event type is used for the subset of events within + a category that are related to group objects. Common example: `event.category:iam + AND event.type:creation AND event.type:group`. You can further distinguish + group operations using the ECS `event.action` field.' + name: group + - description: The info event type is used for the subset of events within a + category that indicate that they are purely informational, and don't report + a state change, or any type of action. For example, an initial run of a + file integrity monitoring system (FIM), where an agent reports all files + under management, would fall into the "info" subcategory. Similarly, an + event containing a dump of all currently running processes (as opposed to + reporting that a process started/ended) would fall into the "info" subcategory. + An additional common examples is `event.category:intrusion_detection AND + event.type:info`. + name: info + - description: The installation event type is used for the subset of events + within a category that indicate that something was installed. A common example + is `event.category:package` AND `event.type:installation`. + name: installation + - description: The protocol event type is used for the subset of events within + a category that indicate that they contain protocol details or analysis, + beyond simply identifying the protocol. Generally, network events that contain + specific protocol details will fall into this subcategory. A common example + is `event.category:network AND event.type:protocol AND event.type:connection + AND event.type:end` (to indicate that the event is a network connection + event sent at the end of a connection that also includes a protocol detail + breakdown). Note that events that only indicate the name or id of the protocol + should not use the protocol value. Further note that when the protocol subcategory + is used, the identified protocol is populated in the ECS `network.protocol` + field. + name: protocol + - description: The start event type is used for the subset of events within + a category that indicate something has started. A common example is `event.category:process + AND event.type:start`. + name: start + - description: 'The user event type is used for the subset of events within + a category that are related to user objects. Common example: `event.category:iam + AND event.type:deletion AND event.type:user`. You can further distinguish + user operations using the ECS `event.action` field.' + name: user + dashed_name: event-type + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' + flat_name: event.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + short: Event type. The third categorization field in the hierarchy. + type: keyword + event.url: + dashed_name: event-url + description: 'URL linking to an external system to continue investigation of + this event. + + This URL links to another system where in-depth investigation of the specific + occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, + are a common use case for this field.' + example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + flat_name: event.url + ignore_above: 1024 + level: extended + name: url + normalize: [] + short: Event investigation URL + type: keyword + group: 2 + name: event + prefix: event. + short: Fields breaking down the event details. + title: Event + type: group +file: + description: 'A file is defined as a set of information that has been created on, + or has existed on a filesystem. + + File objects can be associated with host events, network events, and/or file events + (e.g., those produced by File Integrity Monitoring [FIM] products or services). + File fields provide details about the affected file associated with the event + or metric.' + fields: + file.accessed: + dashed_name: file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: file.accessed + level: extended + name: accessed + normalize: [] + short: Last time the file was accessed. + type: date + file.attributes: + dashed_name: file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + short: Array of file attributes. + type: keyword + file.code_signature.exists: + dashed_name: file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + file.code_signature.status: + dashed_name: file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + file.code_signature.subject_name: + dashed_name: file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + file.code_signature.trusted: + dashed_name: file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + file.code_signature.valid: + dashed_name: file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + file.created: + dashed_name: file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: file.created + level: extended + name: created + normalize: [] + short: File creation time. + type: date + file.ctime: + dashed_name: file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: file.ctime + level: extended + name: ctime + normalize: [] + short: Last time the file attributes or metadata changed. + type: date + file.device: + dashed_name: file-device + description: Device that is the source of the file. + example: sda + flat_name: file.device + ignore_above: 1024 + level: extended + name: device + normalize: [] + short: Device that is the source of the file. + type: keyword + file.directory: + dashed_name: file-directory + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + flat_name: file.directory + level: extended + name: directory + normalize: [] + short: Directory where the file is located. + type: wildcard + file.drive_letter: + dashed_name: file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + short: Drive letter where the file is located. + type: keyword + file.extension: + dashed_name: file-extension + description: File extension. + example: png + flat_name: file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + short: File extension. + type: keyword + file.gid: + dashed_name: file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + short: Primary group ID (GID) of the file. + type: keyword + file.group: + dashed_name: file-group + description: Primary group name of the file. + example: alice + flat_name: file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + short: Primary group name of the file. + type: keyword + file.hash.md5: + dashed_name: file-hash-md5 + description: MD5 hash. + flat_name: file.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + file.hash.sha1: + dashed_name: file-hash-sha1 + description: SHA1 hash. + flat_name: file.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + file.hash.sha256: + dashed_name: file-hash-sha256 + description: SHA256 hash. + flat_name: file.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + file.hash.sha512: + dashed_name: file-hash-sha512 + description: SHA512 hash. + flat_name: file.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + file.inode: + dashed_name: file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + short: Inode representing the file in the filesystem. + type: keyword + file.mime_type: + dashed_name: file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + flat_name: file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + short: Media type of file, document, or arrangement of bytes. + type: keyword + file.mode: + dashed_name: file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + short: Mode of the file in octal representation. + type: keyword + file.mtime: + dashed_name: file-mtime + description: Last time the file content was modified. + flat_name: file.mtime + level: extended + name: mtime + normalize: [] + short: Last time the file content was modified. + type: date + file.name: + dashed_name: file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Name of the file including the extension, without the directory. + type: keyword + file.owner: + dashed_name: file-owner + description: File owner's username. + example: alice + flat_name: file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + short: File owner's username. + type: keyword + file.path: + dashed_name: file-path + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + flat_name: file.path + level: extended + multi_fields: + - flat_name: file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + short: Full path to the file, including the file name. + type: wildcard + file.pe.architecture: + dashed_name: file-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: file.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + file.pe.company: + dashed_name: file-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: file.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + file.pe.description: + dashed_name: file-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: file.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + file.pe.file_version: + dashed_name: file-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: file.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + file.pe.imphash: + dashed_name: file-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: file.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + file.pe.original_file_name: + dashed_name: file-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: file.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard + file.pe.product: + dashed_name: file-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: file.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + file.size: + dashed_name: file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: file.size + level: extended + name: size + normalize: [] + short: File size in bytes. + type: long + file.target_path: + dashed_name: file-target-path + description: Target path for symlinks. + flat_name: file.target_path + level: extended + multi_fields: + - flat_name: file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + short: Target path for symlinks. + type: wildcard + file.type: + dashed_name: file-type + description: File type (file, dir, or symlink). + example: file + flat_name: file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + short: File type (file, dir, or symlink). + type: keyword + file.uid: + dashed_name: file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword + file.x509.alternative_names: + dashed_name: file-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: file.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword + file.x509.issuer.common_name: + dashed_name: file-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: file.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword + file.x509.issuer.country: + dashed_name: file-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: file.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword + file.x509.issuer.distinguished_name: + dashed_name: file-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: file.x509.issuer.distinguished_name + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard + file.x509.issuer.locality: + dashed_name: file-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: file.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + file.x509.issuer.organization: + dashed_name: file-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: file.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword + file.x509.issuer.organizational_unit: + dashed_name: file-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: file.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + file.x509.issuer.state_or_province: + dashed_name: file-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: file.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + file.x509.not_after: + dashed_name: file-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: file.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date + file.x509.not_before: + dashed_name: file-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: file.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + file.x509.public_key_algorithm: + dashed_name: file-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: file.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword + file.x509.public_key_curve: + dashed_name: file-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: file.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + file.x509.public_key_exponent: + dashed_name: file-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: file.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + file.x509.public_key_size: + dashed_name: file-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: file.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + file.x509.serial_number: + dashed_name: file-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: file.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword + file.x509.signature_algorithm: + dashed_name: file-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: file.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. + type: keyword + file.x509.subject.common_name: + dashed_name: file-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: file.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword + file.x509.subject.country: + dashed_name: file-x509-subject-country + description: List of country (C) code + example: US + flat_name: file.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword + file.x509.subject.distinguished_name: + dashed_name: file-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: file.x509.subject.distinguished_name + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: wildcard + file.x509.subject.locality: + dashed_name: file-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: file.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + file.x509.subject.organization: + dashed_name: file-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: file.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword + file.x509.subject.organizational_unit: + dashed_name: file-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: file.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword + file.x509.subject.state_or_province: + dashed_name: file-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: file.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + file.x509.version_number: + dashed_name: file-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: file.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword + group: 2 + name: file + nestings: + - file.code_signature + - file.hash + - file.pe + - file.x509 + prefix: file. + reused_here: + - full: file.code_signature + schema_name: code_signature + short: These fields contain information about binary code signatures. + - full: file.hash + schema_name: hash + short: Hashes, usually file hashes. + - full: file.pe + schema_name: pe + short: These fields contain Windows Portable Executable (PE) metadata. + - full: file.x509 + schema_name: x509 + short: These fields contain x509 certificate metadata. + short: Fields describing files. + title: File + type: group +geo: + description: 'Geo fields can carry data about a specific location related to an + event. + + This geolocation information can be derived from techniques such as Geo IP, or + be user-supplied.' + fields: + geo.city_name: + dashed_name: geo-city-name + description: City name. + example: Montreal + flat_name: geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + short: City name. + type: keyword + geo.continent_name: + dashed_name: geo-continent-name + description: Name of the continent. + example: North America + flat_name: geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + short: Name of the continent. + type: keyword + geo.country_iso_code: + dashed_name: geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + short: Country ISO code. + type: keyword + geo.country_name: + dashed_name: geo-country-name + description: Country name. + example: Canada + flat_name: geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + short: Country name. + type: keyword + geo.location: + dashed_name: geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: geo.location + level: core + name: location + normalize: [] + short: Longitude and latitude. + type: geo_point + geo.name: + dashed_name: geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: geo.name + level: extended + name: name + normalize: [] + short: User-defined description of a location. + type: wildcard + geo.region_iso_code: + dashed_name: geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + short: Region ISO code. + type: keyword + geo.region_name: + dashed_name: geo-region-name + description: Region name. + example: Quebec + flat_name: geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + short: Region name. + type: keyword + group: 2 + name: geo + prefix: geo. + reusable: + expected: + - as: geo + at: client + full: client.geo + - as: geo + at: destination + full: destination.geo + - as: geo + at: observer + full: observer.geo + - as: geo + at: host + full: host.geo + - as: geo + at: server + full: server.geo + - as: geo + at: source + full: source.geo + top_level: false + short: Fields describing a location. + title: Geo + type: group +group: + description: The group fields are meant to represent groups that are relevant to + the event. + fields: + group.domain: + dashed_name: group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + short: Name of the directory the group is a member of. + type: keyword + group.id: + dashed_name: group-id + description: Unique identifier for the group on the system/platform. + flat_name: group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + short: Unique identifier for the group on the system/platform. + type: keyword + group.name: + dashed_name: group-name + description: Name of the group. + flat_name: group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Name of the group. + type: keyword + group: 2 + name: group + prefix: group. + reusable: + expected: + - as: group + at: user + full: user.group + top_level: true + short: User's group relevant to the event. + title: Group + type: group +hash: + description: 'The hash fields represent different hash algorithms and their values. + + Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for + other hashes by lowercasing the hash algorithm name and using underscore separators + as appropriate (snake case, e.g. sha3_512).' + fields: + hash.md5: + dashed_name: hash-md5 + description: MD5 hash. + flat_name: hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + short: MD5 hash. + type: keyword + hash.sha1: + dashed_name: hash-sha1 + description: SHA1 hash. + flat_name: hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + short: SHA1 hash. + type: keyword + hash.sha256: + dashed_name: hash-sha256 + description: SHA256 hash. + flat_name: hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + short: SHA256 hash. + type: keyword + hash.sha512: + dashed_name: hash-sha512 + description: SHA512 hash. + flat_name: hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + short: SHA512 hash. + type: keyword + group: 2 + name: hash + prefix: hash. + reusable: + expected: + - as: hash + at: file + full: file.hash + - as: hash + at: process + full: process.hash + - as: hash + at: dll + full: dll.hash + top_level: false + short: Hashes, usually file hashes. + title: Hash + type: group +host: + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include hardware, + virtual machines, Docker containers, and Kubernetes nodes.' + fields: + host.architecture: + dashed_name: host-architecture + description: Operating system architecture. + example: x86_64 + flat_name: host.architecture + ignore_above: 1024 + level: core + name: architecture + normalize: [] + short: Operating system architecture. + type: keyword + host.domain: + dashed_name: host-domain + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain + or NetBIOS domain name. For Linux this could be the domain of the host''s + LDAP provider.' + example: CONTOSO + flat_name: host.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + short: Name of the directory the group is a member of. + type: keyword + host.geo.city_name: + dashed_name: host-geo-city-name + description: City name. + example: Montreal + flat_name: host.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + host.geo.continent_name: + dashed_name: host-geo-continent-name + description: Name of the continent. + example: North America + flat_name: host.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + host.geo.country_iso_code: + dashed_name: host-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: host.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + host.geo.country_name: + dashed_name: host-geo-country-name + description: Country name. + example: Canada + flat_name: host.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + host.geo.location: + dashed_name: host-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: host.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + host.geo.name: + dashed_name: host-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: host.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard + host.geo.region_iso_code: + dashed_name: host-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: host.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + host.geo.region_name: + dashed_name: host-geo-region-name + description: Region name. + example: Quebec + flat_name: host.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + host.hostname: + dashed_name: host-hostname + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + flat_name: host.hostname + level: core + name: hostname + normalize: [] + short: Hostname of the host. + type: wildcard + host.id: + dashed_name: host-id + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + flat_name: host.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique host id. + type: keyword + host.ip: + dashed_name: host-ip + description: Host ip addresses. + flat_name: host.ip + level: core + name: ip + normalize: + - array + short: Host ip addresses. + type: ip + host.mac: + dashed_name: host-mac + description: Host mac addresses. + flat_name: host.mac + ignore_above: 1024 + level: core + name: mac + normalize: + - array + short: Host mac addresses. + type: keyword + host.name: + dashed_name: host-name + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified + domain name, or a name specified by the user. The sender decides which value + to use.' + flat_name: host.name + ignore_above: 1024 + level: core + name: name + normalize: [] + short: Name of the host. + type: keyword + host.os.family: + dashed_name: host-os-family + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + flat_name: host.os.family + ignore_above: 1024 + level: extended + name: family + normalize: [] + original_fieldset: os + short: OS family (such as redhat, debian, freebsd, windows). + type: keyword + host.os.full: + dashed_name: host-os-full + description: Operating system name, including the version or code name. + example: Mac OS Mojave + flat_name: host.os.full + level: extended + multi_fields: + - flat_name: host.os.full.text + name: text + norms: false + type: text + name: full + normalize: [] + original_fieldset: os + short: Operating system name, including the version or code name. + type: wildcard + host.os.kernel: + dashed_name: host-os-kernel + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + flat_name: host.os.kernel + ignore_above: 1024 + level: extended + name: kernel + normalize: [] + original_fieldset: os + short: Operating system kernel version as a raw string. + type: keyword + host.os.name: + dashed_name: host-os-name + description: Operating system name, without the version. + example: Mac OS X + flat_name: host.os.name + level: extended + multi_fields: + - flat_name: host.os.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: os + short: Operating system name, without the version. + type: wildcard + host.os.platform: + dashed_name: host-os-platform + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + flat_name: host.os.platform + ignore_above: 1024 + level: extended + name: platform + normalize: [] + original_fieldset: os + short: Operating system platform (such centos, ubuntu, windows). + type: keyword + host.os.version: + dashed_name: host-os-version + description: Operating system version as a raw string. + example: 10.14.1 + flat_name: host.os.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + original_fieldset: os + short: Operating system version as a raw string. + type: keyword + host.type: + dashed_name: host-type + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, + this could be the container, for example, or other information meaningful + in your environment.' + flat_name: host.type + ignore_above: 1024 + level: core + name: type + normalize: [] + short: Type of host. + type: keyword + host.uptime: + dashed_name: host-uptime + description: Seconds the host has been up. + example: 1325 + flat_name: host.uptime + level: extended + name: uptime + normalize: [] + short: Seconds the host has been up. + type: long + host.user.domain: + dashed_name: host-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: host.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + host.user.email: + dashed_name: host-user-email + description: User email address. + flat_name: host.user.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard + host.user.full_name: + dashed_name: host-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: host.user.full_name + level: extended + multi_fields: + - flat_name: host.user.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard + host.user.group.domain: + dashed_name: host-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: host.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + host.user.group.id: + dashed_name: host-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: host.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + host.user.group.name: + dashed_name: host-user-group-name + description: Name of the group. + flat_name: host.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + host.user.hash: + dashed_name: host-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: host.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + host.user.id: + dashed_name: host-user-id + description: Unique identifier of the user. + flat_name: host.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + host.user.name: + dashed_name: host-user-name + description: Short name or login of the user. + example: albert + flat_name: host.user.name + level: core + multi_fields: + - flat_name: host.user.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard + host.user.roles: + dashed_name: host-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: host.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword + group: 2 + name: host + nestings: + - host.geo + - host.os + - host.user + prefix: host. + reused_here: + - full: host.geo + schema_name: geo + short: Fields describing a location. + - full: host.os + schema_name: os + short: OS fields contain information about the operating system. + - full: host.user + schema_name: user + short: Fields to describe the user relevant to the event. + short: Fields describing the relevant computing instance. + title: Host + type: group +http: + description: Fields related to HTTP activity. Use the `url` field set to store the + url of the request. + fields: + http.request.body.bytes: + dashed_name: http-request-body-bytes + description: Size in bytes of the request body. + example: 887 + flat_name: http.request.body.bytes + format: bytes + level: extended + name: request.body.bytes + normalize: [] + short: Size in bytes of the request body. + type: long + http.request.body.content: + dashed_name: http-request-body-content + description: The full HTTP request body. + example: Hello world + flat_name: http.request.body.content + level: extended + multi_fields: + - flat_name: http.request.body.content.text + name: text + norms: false + type: text + name: request.body.content + normalize: [] + short: The full HTTP request body. + type: wildcard + http.request.bytes: + dashed_name: http-request-bytes + description: Total size in bytes of the request (body and headers). + example: 1437 + flat_name: http.request.bytes + format: bytes + level: extended + name: request.bytes + normalize: [] + short: Total size in bytes of the request (body and headers). + type: long + http.request.method: + dashed_name: http-request-method + description: 'HTTP request method. + + Prior to ECS 1.6.0 the following guidance was provided: + + "The field value must be normalized to lowercase for querying." + + As of ECS 1.6.0, the guidance is deprecated because the original case of the + method may be useful in anomaly detection. Original case will be mandated + in ECS 2.0.0' + example: GET, POST, PUT, PoST + flat_name: http.request.method + ignore_above: 1024 + level: extended + name: request.method + normalize: [] + short: HTTP request method. + type: keyword + http.request.mime_type: + dashed_name: http-request-mime-type + description: 'Mime type of the body of the request. + + This value must only be populated based on the content of the request body, + not on the `Content-Type` header. Comparing the mime type of a request with + the request''s Content-Type header can be helpful in detecting threats or + misconfigured clients.' + example: image/gif + flat_name: http.request.mime_type + ignore_above: 1024 + level: extended + name: request.mime_type + normalize: [] + short: Mime type of the body of the request. + type: keyword + http.request.referrer: + dashed_name: http-request-referrer + description: Referrer for this HTTP request. + example: https://blog.example.com/ + flat_name: http.request.referrer + level: extended + name: request.referrer + normalize: [] + short: Referrer for this HTTP request. + type: wildcard + http.response.body.bytes: + dashed_name: http-response-body-bytes + description: Size in bytes of the response body. + example: 887 + flat_name: http.response.body.bytes + format: bytes + level: extended + name: response.body.bytes + normalize: [] + short: Size in bytes of the response body. + type: long + http.response.body.content: + dashed_name: http-response-body-content + description: The full HTTP response body. + example: Hello world + flat_name: http.response.body.content + level: extended + multi_fields: + - flat_name: http.response.body.content.text + name: text + norms: false + type: text + name: response.body.content + normalize: [] + short: The full HTTP response body. + type: wildcard + http.response.bytes: + dashed_name: http-response-bytes + description: Total size in bytes of the response (body and headers). + example: 1437 + flat_name: http.response.bytes + format: bytes + level: extended + name: response.bytes + normalize: [] + short: Total size in bytes of the response (body and headers). + type: long + http.response.mime_type: + dashed_name: http-response-mime-type + description: 'Mime type of the body of the response. + + This value must only be populated based on the content of the response body, + not on the `Content-Type` header. Comparing the mime type of a response with + the response''s Content-Type header can be helpful in detecting misconfigured + servers.' + example: image/gif + flat_name: http.response.mime_type + ignore_above: 1024 + level: extended + name: response.mime_type + normalize: [] + short: Mime type of the body of the response. + type: keyword + http.response.status_code: + dashed_name: http-response-status-code + description: HTTP response status code. + example: 404 + flat_name: http.response.status_code + format: string + level: extended + name: response.status_code + normalize: [] + short: HTTP response status code. + type: long + http.version: + dashed_name: http-version + description: HTTP version. + example: 1.1 + flat_name: http.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + short: HTTP version. + type: keyword + group: 2 + name: http + prefix: http. + short: Fields describing an HTTP request. + title: HTTP + type: group +interface: + description: The interface fields are used to record ingress and egress interface + information when reported by an observer (e.g. firewall, router, load balancer) + in the context of the observer handling a network connection. In the case of + a single observer interface (e.g. network sensor on a span port) only the observer.ingress + information should be populated. + fields: + interface.alias: + dashed_name: interface-alias + description: Interface alias as reported by the system, typically used in firewall + implementations for e.g. inside, outside, or dmz logical interface naming. + example: outside + flat_name: interface.alias + ignore_above: 1024 + level: extended + name: alias + normalize: [] + short: Interface alias + type: keyword + interface.id: + dashed_name: interface-id + description: Interface ID as reported by an observer (typically SNMP interface + ID). + example: 10 + flat_name: interface.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + short: Interface ID + type: keyword + interface.name: + dashed_name: interface-name + description: Interface name as reported by the system. + example: eth0 + flat_name: interface.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Interface name + type: keyword + group: 2 + name: interface + prefix: interface. + reusable: + expected: + - as: interface + at: observer.ingress + full: observer.ingress.interface + - as: interface + at: observer.egress + full: observer.egress.interface + top_level: false + short: Fields to describe observer interface information. + title: Interface + type: group +log: + description: 'Details about the event''s logging mechanism or logging transport. + + The log.* fields are typically populated with details about the logging mechanism + used to create and/or transport the event. For example, syslog details belong + under `log.syslog.*`. + + The details specific to your event source are typically not logged under `log.*`, + but rather in `event.*` or in other ECS fields.' + fields: + log.file.path: + dashed_name: log-file-path + description: 'Full path to the log file this event came from, including the + file name. It should include the drive letter, when appropriate. + + If the event wasn''t read from a log file, do not populate this field.' + example: /var/log/fun-times.log + flat_name: log.file.path + level: extended + name: file.path + normalize: [] + short: Full path to the log file this event came from. + type: wildcard + log.level: + dashed_name: log-level + description: 'Original log level of the log event. + + If the source of the event provides a log level or textual severity, this + is the one that goes in `log.level`. If your source doesn''t specify one, + you may put your event transport''s severity here (e.g. Syslog severity). + + Some examples are `warn`, `err`, `i`, `informational`.' + example: error + flat_name: log.level + ignore_above: 1024 + level: core + name: level + normalize: [] + short: Log level of the log event. + type: keyword + log.logger: + dashed_name: log-logger + description: The name of the logger inside an application. This is usually the + name of the class which initialized the logger, or can be a custom name. + example: org.elasticsearch.bootstrap.Bootstrap + flat_name: log.logger + level: core + name: logger + normalize: [] + short: Name of the logger. + type: wildcard + log.origin.file.line: + dashed_name: log-origin-file-line + description: The line number of the file containing the source code which originated + the log event. + example: 42 + flat_name: log.origin.file.line + level: extended + name: origin.file.line + normalize: [] + short: The line number of the file which originated the log event. + type: integer + log.origin.file.name: + dashed_name: log-origin-file-name + description: 'The name of the file containing the source code which originated + the log event. + + Note that this field is not meant to capture the log file. The correct field + to capture the log file is `log.file.path`.' + example: Bootstrap.java + flat_name: log.origin.file.name + ignore_above: 1024 + level: extended + name: origin.file.name + normalize: [] + short: The code file which originated the log event. + type: keyword + log.origin.function: + dashed_name: log-origin-function + description: The name of the function or method which originated the log event. + example: init + flat_name: log.origin.function + ignore_above: 1024 + level: extended + name: origin.function + normalize: [] + short: The function which originated the log event. + type: keyword + log.original: + dashed_name: log-original + description: 'This is the original log message and contains the full log message + before splitting it up in multiple parts. + + In contrast to the `message` field which can contain an extracted part of + the log message, this field contains the original, full log message. It can + have already some modifications applied like encoding or new lines removed + to clean up the log message. + + This field is not indexed and doc_values are disabled so it can''t be queried + but the value can be retrieved from `_source`.' + doc_values: false + example: Sep 19 08:26:10 localhost My log + flat_name: log.original + ignore_above: 1024 + index: false + level: core + name: original + normalize: [] + short: Original log message with light interpretation only (encoding, newlines). + type: keyword + log.syslog: + dashed_name: log-syslog + description: The Syslog metadata of the event, if the event was transmitted + via Syslog. Please see RFCs 5424 or 3164. + flat_name: log.syslog + level: extended + name: syslog + normalize: [] + short: Syslog metadata + type: object + log.syslog.facility.code: + dashed_name: log-syslog-facility-code + description: 'The Syslog numeric facility of the log event, if available. + + According to RFCs 5424 and 3164, this value should be an integer between 0 + and 23.' + example: 23 + flat_name: log.syslog.facility.code + format: string + level: extended + name: syslog.facility.code + normalize: [] + short: Syslog numeric facility of the event. + type: long + log.syslog.facility.name: + dashed_name: log-syslog-facility-name + description: The Syslog text-based facility of the log event, if available. + example: local7 + flat_name: log.syslog.facility.name + ignore_above: 1024 + level: extended + name: syslog.facility.name + normalize: [] + short: Syslog text-based facility of the event. + type: keyword + log.syslog.priority: + dashed_name: log-syslog-priority + description: 'Syslog numeric priority of the event, if available. + + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. + This number is therefore expected to contain a value between 0 and 191.' + example: 135 + flat_name: log.syslog.priority + format: string + level: extended + name: syslog.priority + normalize: [] + short: Syslog priority of the event. + type: long + log.syslog.severity.code: + dashed_name: log-syslog-severity-code + description: 'The Syslog numeric severity of the log event, if available. + + If the event source publishing via Syslog provides a different numeric severity + value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`. + If the event source does not specify a distinct severity, you can optionally + copy the Syslog severity to `event.severity`.' + example: 3 + flat_name: log.syslog.severity.code + level: extended + name: syslog.severity.code + normalize: [] + short: Syslog numeric severity of the event. + type: long + log.syslog.severity.name: + dashed_name: log-syslog-severity-name + description: 'The Syslog numeric severity of the log event, if available. + + If the event source publishing via Syslog provides a different severity value + (e.g. firewall, IDS), your source''s text severity should go to `log.level`. + If the event source does not specify a distinct severity, you can optionally + copy the Syslog severity to `log.level`.' + example: Error + flat_name: log.syslog.severity.name + ignore_above: 1024 + level: extended + name: syslog.severity.name + normalize: [] + short: Syslog text-based severity of the event. + type: keyword + group: 2 + name: log + prefix: log. + short: Details about the event's logging mechanism. + title: Log + type: group +network: + description: 'The network is defined as the communication path over which a host + or network event happens. + + The network.* fields should be populated with details about the network activity + associated with an event.' + fields: + network.application: + dashed_name: network-application + description: 'A name given to an application level protocol. This can be arbitrarily + assigned for things like microservices, but also apply to things like skype, + icq, facebook, twitter. This would be used in situations where the vendor + or service can be decoded such as from the source/dest IP owners, ports, or + wire format. + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: aim + flat_name: network.application + ignore_above: 1024 + level: extended + name: application + normalize: [] + short: Application level protocol name. + type: keyword + network.bytes: + dashed_name: network-bytes + description: 'Total bytes transferred in both directions. + + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their + sum.' + example: 368 + flat_name: network.bytes + format: bytes + level: core + name: bytes + normalize: [] + short: Total bytes transferred in both directions. + type: long + network.community_id: + dashed_name: network-community-id + description: 'A hash of source and destination IPs and ports, as well as the + protocol used in a communication. This is a tool-agnostic standard to identify + flows. + + Learn more at https://github.com/corelight/community-id-spec.' + example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + flat_name: network.community_id + ignore_above: 1024 + level: extended + name: community_id + normalize: [] + short: A hash of source and destination IPs and ports. + type: keyword + network.direction: + dashed_name: network-direction + description: "Direction of the network traffic.\nRecommended values are:\n \ + \ * ingress\n * egress\n * inbound\n * outbound\n * internal\n * external\n\ + \ * unknown\n\nWhen mapping events from a host-based monitoring context,\ + \ populate this field from the host's point of view, using the values \"ingress\"\ + \ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\ + \ context, populate this field from the point of view of the network perimeter,\ + \ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\ + .\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\ + \ to describe communication between two hosts within the perimeter. Note also\ + \ that \"external\" is meant to describe traffic between two hosts that are\ + \ external to the perimeter. This could for example be useful for ISPs or\ + \ VPN service providers." + example: inbound + flat_name: network.direction + ignore_above: 1024 + level: core + name: direction + normalize: [] + short: Direction of the network traffic. + type: keyword + network.forwarded_ip: + dashed_name: network-forwarded-ip + description: Host IP address when the source IP address is the proxy. + example: 192.1.1.2 + flat_name: network.forwarded_ip + level: core + name: forwarded_ip + normalize: [] + short: Host IP address when the source IP address is the proxy. + type: ip + network.iana_number: + dashed_name: network-iana-number + description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). + Standardized list of protocols. This aligns well with NetFlow and sFlow related + logs which use the IANA Protocol Number. + example: 6 + flat_name: network.iana_number + ignore_above: 1024 + level: extended + name: iana_number + normalize: [] + short: IANA Protocol Number. + type: keyword + network.inner: + dashed_name: network-inner + description: Network.inner fields are added in addition to network.vlan fields + to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed + fields include vlan.id and vlan.name. Inner vlan fields are typically used + when sending traffic with multiple 802.1q encapsulations to a network sensor + (e.g. Zeek, Wireshark.) + flat_name: network.inner + level: extended + name: inner + normalize: [] + short: Inner VLAN tag information + type: object + network.inner.vlan.id: + dashed_name: network-inner-vlan-id + description: VLAN ID as reported by the observer. + example: 10 + flat_name: network.inner.vlan.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: vlan + short: VLAN ID as reported by the observer. + type: keyword + network.inner.vlan.name: + dashed_name: network-inner-vlan-name + description: Optional VLAN name as reported by the observer. + example: outside + flat_name: network.inner.vlan.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: vlan + short: Optional VLAN name as reported by the observer. + type: keyword + network.name: + dashed_name: network-name + description: Name given by operators to sections of their network. + example: Guest Wifi + flat_name: network.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Name given by operators to sections of their network. + type: keyword + network.packets: + dashed_name: network-packets + description: 'Total packets transferred in both directions. + + If `source.packets` and `destination.packets` are known, `network.packets` + is their sum.' + example: 24 + flat_name: network.packets + level: core + name: packets + normalize: [] + short: Total packets transferred in both directions. + type: long + network.protocol: + dashed_name: network-protocol + description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol. + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: http + flat_name: network.protocol + ignore_above: 1024 + level: core + name: protocol + normalize: [] + short: L7 Network protocol name. + type: keyword + network.transport: + dashed_name: network-transport + description: 'Same as network.iana_number, but instead using the Keyword name + of the transport layer (udp, tcp, ipv6-icmp, etc.) + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: tcp + flat_name: network.transport + ignore_above: 1024 + level: core + name: transport + normalize: [] + short: Protocol Name corresponding to the field `iana_number`. + type: keyword + network.type: + dashed_name: network-type + description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, + ipsec, pim, etc + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: ipv4 + flat_name: network.type + ignore_above: 1024 + level: core + name: type + normalize: [] + short: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, + pim, etc + type: keyword + network.vlan.id: + dashed_name: network-vlan-id + description: VLAN ID as reported by the observer. + example: 10 + flat_name: network.vlan.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: vlan + short: VLAN ID as reported by the observer. + type: keyword + network.vlan.name: + dashed_name: network-vlan-name + description: Optional VLAN name as reported by the observer. + example: outside + flat_name: network.vlan.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: vlan + short: Optional VLAN name as reported by the observer. + type: keyword + group: 2 + name: network + nestings: + - network.inner.vlan + - network.vlan + prefix: network. + reused_here: + - full: network.vlan + schema_name: vlan + short: Fields to describe observed VLAN information. + - full: network.inner.vlan + schema_name: vlan + short: Fields to describe observed VLAN information. + short: Fields describing the communication path over which the event happened. + title: Network + type: group +observer: + description: 'An observer is defined as a special network, security, or application + device used to detect, observe, or create network, security, or application-related + events and metrics. + + This could be a custom hardware appliance or a server that has been configured + to run special network, security, or application software. Examples include firewalls, + web proxies, intrusion detection/prevention systems, network monitoring sensors, + web application firewalls, data loss prevention systems, and APM servers. The + observer.* fields shall be populated with details of the system, if any, that + detects, observes and/or creates a network, security, or application event or + metric. Message queues and ETL components used in processing events or metrics + are not considered observers in ECS.' + fields: + observer.egress: + dashed_name: observer-egress + description: Observer.egress holds information like interface number and name, + vlan, and zone information to classify egress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress + to categorize traffic. + flat_name: observer.egress + level: extended + name: egress + normalize: [] + short: Object field for egress information + type: object + observer.egress.interface.alias: + dashed_name: observer-egress-interface-alias + description: Interface alias as reported by the system, typically used in firewall + implementations for e.g. inside, outside, or dmz logical interface naming. + example: outside + flat_name: observer.egress.interface.alias + ignore_above: 1024 + level: extended + name: alias + normalize: [] + original_fieldset: interface + short: Interface alias + type: keyword + observer.egress.interface.id: + dashed_name: observer-egress-interface-id + description: Interface ID as reported by an observer (typically SNMP interface + ID). + example: 10 + flat_name: observer.egress.interface.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: interface + short: Interface ID + type: keyword + observer.egress.interface.name: + dashed_name: observer-egress-interface-name + description: Interface name as reported by the system. + example: eth0 + flat_name: observer.egress.interface.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: interface + short: Interface name + type: keyword + observer.egress.vlan.id: + dashed_name: observer-egress-vlan-id + description: VLAN ID as reported by the observer. + example: 10 + flat_name: observer.egress.vlan.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: vlan + short: VLAN ID as reported by the observer. + type: keyword + observer.egress.vlan.name: + dashed_name: observer-egress-vlan-name + description: Optional VLAN name as reported by the observer. + example: outside + flat_name: observer.egress.vlan.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: vlan + short: Optional VLAN name as reported by the observer. + type: keyword + observer.egress.zone: + dashed_name: observer-egress-zone + description: Network zone of outbound traffic as reported by the observer to + categorize the destination area of egress traffic, e.g. Internal, External, + DMZ, HR, Legal, etc. + example: Public_Internet + flat_name: observer.egress.zone + ignore_above: 1024 + level: extended + name: egress.zone + normalize: [] + short: Observer Egress zone + type: keyword + observer.geo.city_name: + dashed_name: observer-geo-city-name + description: City name. + example: Montreal + flat_name: observer.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + observer.geo.continent_name: + dashed_name: observer-geo-continent-name + description: Name of the continent. + example: North America + flat_name: observer.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + observer.geo.country_iso_code: + dashed_name: observer-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: observer.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + observer.geo.country_name: + dashed_name: observer-geo-country-name + description: Country name. + example: Canada + flat_name: observer.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + observer.geo.location: + dashed_name: observer-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: observer.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + observer.geo.name: + dashed_name: observer-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: observer.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard + observer.geo.region_iso_code: + dashed_name: observer-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: observer.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + observer.geo.region_name: + dashed_name: observer-geo-region-name + description: Region name. + example: Quebec + flat_name: observer.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + observer.hostname: + dashed_name: observer-hostname + description: Hostname of the observer. + flat_name: observer.hostname + ignore_above: 1024 + level: core + name: hostname + normalize: [] + short: Hostname of the observer. + type: keyword + observer.ingress: + dashed_name: observer-ingress + description: Observer.ingress holds information like interface number and name, + vlan, and zone information to classify ingress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress + to categorize traffic. + flat_name: observer.ingress + level: extended + name: ingress + normalize: [] + short: Object field for ingress information + type: object + observer.ingress.interface.alias: + dashed_name: observer-ingress-interface-alias + description: Interface alias as reported by the system, typically used in firewall + implementations for e.g. inside, outside, or dmz logical interface naming. + example: outside + flat_name: observer.ingress.interface.alias + ignore_above: 1024 + level: extended + name: alias + normalize: [] + original_fieldset: interface + short: Interface alias + type: keyword + observer.ingress.interface.id: + dashed_name: observer-ingress-interface-id + description: Interface ID as reported by an observer (typically SNMP interface + ID). + example: 10 + flat_name: observer.ingress.interface.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: interface + short: Interface ID + type: keyword + observer.ingress.interface.name: + dashed_name: observer-ingress-interface-name + description: Interface name as reported by the system. + example: eth0 + flat_name: observer.ingress.interface.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: interface + short: Interface name + type: keyword + observer.ingress.vlan.id: + dashed_name: observer-ingress-vlan-id + description: VLAN ID as reported by the observer. + example: 10 + flat_name: observer.ingress.vlan.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: vlan + short: VLAN ID as reported by the observer. + type: keyword + observer.ingress.vlan.name: + dashed_name: observer-ingress-vlan-name + description: Optional VLAN name as reported by the observer. + example: outside + flat_name: observer.ingress.vlan.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: vlan + short: Optional VLAN name as reported by the observer. + type: keyword + observer.ingress.zone: + dashed_name: observer-ingress-zone + description: Network zone of incoming traffic as reported by the observer to + categorize the source area of ingress traffic. e.g. internal, External, DMZ, + HR, Legal, etc. + example: DMZ + flat_name: observer.ingress.zone + ignore_above: 1024 + level: extended + name: ingress.zone + normalize: [] + short: Observer ingress zone + type: keyword + observer.ip: + dashed_name: observer-ip + description: IP addresses of the observer. + flat_name: observer.ip + level: core + name: ip + normalize: + - array + short: IP addresses of the observer. + type: ip + observer.mac: + dashed_name: observer-mac + description: MAC addresses of the observer + flat_name: observer.mac + ignore_above: 1024 + level: core + name: mac + normalize: + - array + short: MAC addresses of the observer + type: keyword + observer.name: + dashed_name: observer-name + description: 'Custom name of the observer. + + This is a name that can be given to an observer. This can be helpful for example + if multiple firewalls of the same model are used in an organization. + + If no custom name is needed, the field can be left empty.' + example: 1_proxySG + flat_name: observer.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Custom name of the observer. + type: keyword + observer.os.family: + dashed_name: observer-os-family + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + flat_name: observer.os.family + ignore_above: 1024 + level: extended + name: family + normalize: [] + original_fieldset: os + short: OS family (such as redhat, debian, freebsd, windows). + type: keyword + observer.os.full: + dashed_name: observer-os-full + description: Operating system name, including the version or code name. + example: Mac OS Mojave + flat_name: observer.os.full + level: extended + multi_fields: + - flat_name: observer.os.full.text + name: text + norms: false + type: text + name: full + normalize: [] + original_fieldset: os + short: Operating system name, including the version or code name. + type: wildcard + observer.os.kernel: + dashed_name: observer-os-kernel + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + flat_name: observer.os.kernel + ignore_above: 1024 + level: extended + name: kernel + normalize: [] + original_fieldset: os + short: Operating system kernel version as a raw string. + type: keyword + observer.os.name: + dashed_name: observer-os-name + description: Operating system name, without the version. + example: Mac OS X + flat_name: observer.os.name + level: extended + multi_fields: + - flat_name: observer.os.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: os + short: Operating system name, without the version. + type: wildcard + observer.os.platform: + dashed_name: observer-os-platform + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + flat_name: observer.os.platform + ignore_above: 1024 + level: extended + name: platform + normalize: [] + original_fieldset: os + short: Operating system platform (such centos, ubuntu, windows). + type: keyword + observer.os.version: + dashed_name: observer-os-version + description: Operating system version as a raw string. + example: 10.14.1 + flat_name: observer.os.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + original_fieldset: os + short: Operating system version as a raw string. + type: keyword + observer.product: + dashed_name: observer-product + description: The product name of the observer. + example: s200 + flat_name: observer.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + short: The product name of the observer. + type: keyword + observer.serial_number: + dashed_name: observer-serial-number + description: Observer serial number. + flat_name: observer.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + short: Observer serial number. + type: keyword + observer.type: + dashed_name: observer-type + description: 'The type of the observer the data is coming from. + + There is no predefined list of observer types. Some examples are `forwarder`, + `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.' + example: firewall + flat_name: observer.type + ignore_above: 1024 + level: core + name: type + normalize: [] + short: The type of the observer the data is coming from. + type: keyword + observer.vendor: + dashed_name: observer-vendor + description: Vendor name of the observer. + example: Symantec + flat_name: observer.vendor + ignore_above: 1024 + level: core + name: vendor + normalize: [] + short: Vendor name of the observer. + type: keyword + observer.version: + dashed_name: observer-version + description: Observer version. + flat_name: observer.version + ignore_above: 1024 + level: core + name: version + normalize: [] + short: Observer version. + type: keyword + group: 2 + name: observer + nestings: + - observer.egress.interface + - observer.egress.vlan + - observer.geo + - observer.ingress.interface + - observer.ingress.vlan + - observer.os + prefix: observer. + reused_here: + - full: observer.geo + schema_name: geo + short: Fields describing a location. + - full: observer.ingress.interface + schema_name: interface + short: Fields to describe observer interface information. + - full: observer.egress.interface + schema_name: interface + short: Fields to describe observer interface information. + - full: observer.os + schema_name: os + short: OS fields contain information about the operating system. + - full: observer.ingress.vlan + schema_name: vlan + short: Fields to describe observed VLAN information. + - full: observer.egress.vlan + schema_name: vlan + short: Fields to describe observed VLAN information. + short: Fields describing an entity observing the event from outside the host. + title: Observer + type: group +organization: + description: 'The organization fields enrich data with information about the company + or entity the data is associated with. + + These fields help you arrange or filter data stored in an index by one or multiple + organizations.' + fields: + organization.id: + dashed_name: organization-id + description: Unique identifier for the organization. + flat_name: organization.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + short: Unique identifier for the organization. + type: keyword + organization.name: + dashed_name: organization-name + description: Organization name. + flat_name: organization.name + level: extended + multi_fields: + - flat_name: organization.name.text + name: text + norms: false + type: text + name: name + normalize: [] + short: Organization name. + type: wildcard + group: 2 + name: organization + prefix: organization. + short: Fields describing the organization or company the event is associated with. + title: Organization + type: group +os: + description: The OS fields contain information about the operating system. + fields: + os.family: + dashed_name: os-family + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + flat_name: os.family + ignore_above: 1024 + level: extended + name: family + normalize: [] + short: OS family (such as redhat, debian, freebsd, windows). + type: keyword + os.full: + dashed_name: os-full + description: Operating system name, including the version or code name. + example: Mac OS Mojave + flat_name: os.full + level: extended + multi_fields: + - flat_name: os.full.text + name: text + norms: false + type: text + name: full + normalize: [] + short: Operating system name, including the version or code name. + type: wildcard + os.kernel: + dashed_name: os-kernel + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + flat_name: os.kernel + ignore_above: 1024 + level: extended + name: kernel + normalize: [] + short: Operating system kernel version as a raw string. + type: keyword + os.name: + dashed_name: os-name + description: Operating system name, without the version. + example: Mac OS X + flat_name: os.name + level: extended + multi_fields: + - flat_name: os.name.text + name: text + norms: false + type: text + name: name + normalize: [] + short: Operating system name, without the version. + type: wildcard + os.platform: + dashed_name: os-platform + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + flat_name: os.platform + ignore_above: 1024 + level: extended + name: platform + normalize: [] + short: Operating system platform (such centos, ubuntu, windows). + type: keyword + os.version: + dashed_name: os-version + description: Operating system version as a raw string. + example: 10.14.1 + flat_name: os.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + short: Operating system version as a raw string. + type: keyword + group: 2 + name: os + prefix: os. + reusable: + expected: + - as: os + at: observer + full: observer.os + - as: os + at: host + full: host.os + - as: os + at: user_agent + full: user_agent.os + top_level: false + short: OS fields contain information about the operating system. + title: Operating System + type: group +package: + description: These fields contain information about an installed software package. + It contains general information about a package, such as name, version or size. + It also contains installation details, such as time or location. + fields: + package.architecture: + dashed_name: package-architecture + description: Package architecture. + example: x86_64 + flat_name: package.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + short: Package architecture. + type: keyword + package.build_version: + dashed_name: package-build-version + description: 'Additional information about the build version of the installed + package. + + For example use the commit SHA of a non-released package.' + example: 36f4f7e89dd61b0988b12ee000b98966867710cd + flat_name: package.build_version + ignore_above: 1024 + level: extended + name: build_version + normalize: [] + short: Build version information + type: keyword + package.checksum: + dashed_name: package-checksum + description: Checksum of the installed package for verification. + example: 68b329da9893e34099c7d8ad5cb9c940 + flat_name: package.checksum + ignore_above: 1024 + level: extended + name: checksum + normalize: [] + short: Checksum of the installed package for verification. + type: keyword + package.description: + dashed_name: package-description + description: Description of the package. + example: Open source programming language to build simple/reliable/efficient + software. + flat_name: package.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + short: Description of the package. + type: keyword + package.install_scope: + dashed_name: package-install-scope + description: Indicating how the package was installed, e.g. user-local, global. + example: global + flat_name: package.install_scope + ignore_above: 1024 + level: extended + name: install_scope + normalize: [] + short: Indicating how the package was installed, e.g. user-local, global. + type: keyword + package.installed: + dashed_name: package-installed + description: Time when package was installed. + flat_name: package.installed + level: extended + name: installed + normalize: [] + short: Time when package was installed. + type: date + package.license: + dashed_name: package-license + description: 'License under which the package was released. + + Use a short name, e.g. the license identifier from SPDX License List where + possible (https://spdx.org/licenses/).' + example: Apache License 2.0 + flat_name: package.license + ignore_above: 1024 + level: extended + name: license + normalize: [] + short: Package license + type: keyword + package.name: + dashed_name: package-name + description: Package name + example: go + flat_name: package.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Package name + type: keyword + package.path: + dashed_name: package-path + description: Path where the package is installed. + example: /usr/local/Cellar/go/1.12.9/ + flat_name: package.path + ignore_above: 1024 + level: extended + name: path + normalize: [] + short: Path where the package is installed. + type: keyword + package.reference: + dashed_name: package-reference + description: Home page or reference URL of the software in this package, if + available. + example: https://golang.org + flat_name: package.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + short: Package home page or reference URL + type: keyword + package.size: + dashed_name: package-size + description: Package size in bytes. + example: 62231 + flat_name: package.size + format: string + level: extended + name: size + normalize: [] + short: Package size in bytes. + type: long + package.type: + dashed_name: package-type + description: 'Type of package. + + This should contain the package file type, rather than the package manager + name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.' + example: rpm + flat_name: package.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + short: Package type + type: keyword + package.version: + dashed_name: package-version + description: Package version + example: 1.12.9 + flat_name: package.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + short: Package version + type: keyword + group: 2 + name: package + prefix: package. + short: These fields contain information about an installed software package. + title: Package + type: group +pe: + description: These fields contain Windows Portable Executable (PE) metadata. + fields: + pe.architecture: + dashed_name: pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + short: CPU architecture target for the file. + type: keyword + pe.company: + dashed_name: pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + short: Internal company name of the file, provided at compile-time. + type: keyword + pe.description: + dashed_name: pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + short: Internal description of the file, provided at compile-time. + type: keyword + pe.file_version: + dashed_name: pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + short: Process name. + type: keyword + pe.imphash: + dashed_name: pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + short: A hash of the imports in a PE file. + type: keyword + pe.original_file_name: + dashed_name: pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: pe.original_file_name + level: extended + name: original_file_name + normalize: [] + short: Internal name of the file, provided at compile-time. + type: wildcard + pe.product: + dashed_name: pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + short: Internal product name of the file, provided at compile-time. + type: keyword + group: 2 + name: pe + prefix: pe. + reusable: + expected: + - as: pe + at: file + full: file.pe + - as: pe + at: dll + full: dll.pe + - as: pe + at: process + full: process.pe + top_level: false + short: These fields contain Windows Portable Executable (PE) metadata. + title: PE Header + type: group +process: + description: 'These fields contain information about a process. + + These fields can help you correlate metrics information with a process id/name + from a log message. The `process.pid` often stays in the metric itself and is + copied to the global field for correlation.' + fields: + process.args: + dashed_name: process-args + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + short: Array of process arguments. + type: keyword + process.args_count: + dashed_name: process-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + flat_name: process.args_count + level: extended + name: args_count + normalize: [] + short: Length of the process.args array. + type: long + process.code_signature.exists: + dashed_name: process-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + process.code_signature.status: + dashed_name: process-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + process.code_signature.subject_name: + dashed_name: process-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + process.code_signature.trusted: + dashed_name: process-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + process.code_signature.valid: + dashed_name: process-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + process.command_line: + dashed_name: process-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.command_line + level: extended + multi_fields: + - flat_name: process.command_line.text + name: text + norms: false + type: text + name: command_line + normalize: [] + short: Full command line that started the process. + type: wildcard + process.entity_id: + dashed_name: process-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + short: Unique identifier for the process. + type: keyword + process.executable: + dashed_name: process-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.executable + level: extended + multi_fields: + - flat_name: process.executable.text + name: text + norms: false + type: text + name: executable + normalize: [] + short: Absolute path to the process executable. + type: wildcard + process.exit_code: + dashed_name: process-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.exit_code + level: extended + name: exit_code + normalize: [] + short: The exit code of the process. + type: long + process.hash.md5: + dashed_name: process-hash-md5 + description: MD5 hash. + flat_name: process.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + process.hash.sha1: + dashed_name: process-hash-sha1 + description: SHA1 hash. + flat_name: process.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + process.hash.sha256: + dashed_name: process-hash-sha256 + description: SHA256 hash. + flat_name: process.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + process.hash.sha512: + dashed_name: process-hash-sha512 + description: SHA512 hash. + flat_name: process.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + process.name: + dashed_name: process-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.name + level: extended + multi_fields: + - flat_name: process.name.text + name: text + norms: false + type: text + name: name + normalize: [] + short: Process name. + type: wildcard + process.parent.args: + dashed_name: process-parent-args + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + flat_name: process.parent.args + ignore_above: 1024 + level: extended + name: args + normalize: + - array + original_fieldset: process + short: Array of process arguments. + type: keyword + process.parent.args_count: + dashed_name: process-parent-args-count + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + flat_name: process.parent.args_count + level: extended + name: args_count + normalize: [] + original_fieldset: process + short: Length of the process.args array. + type: long + process.parent.code_signature.exists: + dashed_name: process-parent-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.parent.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + process.parent.code_signature.status: + dashed_name: process-parent-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.parent.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + process.parent.code_signature.subject_name: + dashed_name: process-parent-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.parent.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + process.parent.code_signature.trusted: + dashed_name: process-parent-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.parent.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + process.parent.code_signature.valid: + dashed_name: process-parent-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.parent.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + process.parent.command_line: + dashed_name: process-parent-command-line + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.parent.command_line + level: extended + multi_fields: + - flat_name: process.parent.command_line.text + name: text + norms: false + type: text + name: command_line + normalize: [] + original_fieldset: process + short: Full command line that started the process. + type: wildcard + process.parent.entity_id: + dashed_name: process-parent-entity-id + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + flat_name: process.parent.entity_id + ignore_above: 1024 + level: extended + name: entity_id + normalize: [] + original_fieldset: process + short: Unique identifier for the process. + type: keyword + process.parent.executable: + dashed_name: process-parent-executable + description: Absolute path to the process executable. + example: /usr/bin/ssh + flat_name: process.parent.executable + level: extended + multi_fields: + - flat_name: process.parent.executable.text + name: text + norms: false + type: text + name: executable + normalize: [] + original_fieldset: process + short: Absolute path to the process executable. + type: wildcard + process.parent.exit_code: + dashed_name: process-parent-exit-code + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + flat_name: process.parent.exit_code + level: extended + name: exit_code + normalize: [] + original_fieldset: process + short: The exit code of the process. + type: long + process.parent.hash.md5: + dashed_name: process-parent-hash-md5 + description: MD5 hash. + flat_name: process.parent.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + process.parent.hash.sha1: + dashed_name: process-parent-hash-sha1 + description: SHA1 hash. + flat_name: process.parent.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + process.parent.hash.sha256: + dashed_name: process-parent-hash-sha256 + description: SHA256 hash. + flat_name: process.parent.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + process.parent.hash.sha512: + dashed_name: process-parent-hash-sha512 + description: SHA512 hash. + flat_name: process.parent.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + process.parent.name: + dashed_name: process-parent-name + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + flat_name: process.parent.name + level: extended + multi_fields: + - flat_name: process.parent.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: process + short: Process name. + type: wildcard + process.parent.pe.architecture: + dashed_name: process-parent-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.parent.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + process.parent.pe.company: + dashed_name: process-parent-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.parent.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + process.parent.pe.description: + dashed_name: process-parent-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.parent.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + process.parent.pe.file_version: + dashed_name: process-parent-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.parent.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + process.parent.pe.imphash: + dashed_name: process-parent-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.parent.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.parent.pe.original_file_name: + dashed_name: process-parent-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.parent.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard + process.parent.pe.product: + dashed_name: process-parent-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: process.parent.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + process.parent.pgid: + dashed_name: process-parent-pgid + description: Identifier of the group of processes the process belongs to. + flat_name: process.parent.pgid + format: string + level: extended + name: pgid + normalize: [] + original_fieldset: process + short: Identifier of the group of processes the process belongs to. + type: long + process.parent.pid: + dashed_name: process-parent-pid + description: Process id. + example: 4242 + flat_name: process.parent.pid + format: string + level: core + name: pid + normalize: [] + original_fieldset: process + short: Process id. + type: long + process.parent.ppid: + dashed_name: process-parent-ppid + description: Parent process' pid. + example: 4241 + flat_name: process.parent.ppid + format: string + level: extended + name: ppid + normalize: [] + original_fieldset: process + short: Parent process' pid. + type: long + process.parent.start: + dashed_name: process-parent-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.parent.start + level: extended + name: start + normalize: [] + original_fieldset: process + short: The time the process started. + type: date + process.parent.thread.id: + dashed_name: process-parent-thread-id + description: Thread ID. + example: 4242 + flat_name: process.parent.thread.id + format: string + level: extended + name: thread.id + normalize: [] + original_fieldset: process + short: Thread ID. + type: long + process.parent.thread.name: + dashed_name: process-parent-thread-name + description: Thread name. + example: thread-0 + flat_name: process.parent.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + original_fieldset: process + short: Thread name. + type: keyword + process.parent.title: + dashed_name: process-parent-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + flat_name: process.parent.title + level: extended + multi_fields: + - flat_name: process.parent.title.text + name: text + norms: false + type: text + name: title + normalize: [] + original_fieldset: process + short: Process title. + type: wildcard + process.parent.uptime: + dashed_name: process-parent-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.parent.uptime + level: extended + name: uptime + normalize: [] + original_fieldset: process + short: Seconds the process has been up. + type: long + process.parent.working_directory: + dashed_name: process-parent-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.parent.working_directory + level: extended + multi_fields: + - flat_name: process.parent.working_directory.text + name: text + norms: false + type: text + name: working_directory + normalize: [] + original_fieldset: process + short: The working directory of the process. + type: wildcard + process.pe.architecture: + dashed_name: process-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: process.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + process.pe.company: + dashed_name: process-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + process.pe.description: + dashed_name: process-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + process.pe.file_version: + dashed_name: process-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + process.pe.imphash: + dashed_name: process-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + process.pe.original_file_name: + dashed_name: process-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard + process.pe.product: + dashed_name: process-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: process.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + process.pgid: + dashed_name: process-pgid + description: Identifier of the group of processes the process belongs to. + flat_name: process.pgid + format: string + level: extended + name: pgid + normalize: [] + short: Identifier of the group of processes the process belongs to. + type: long + process.pid: + dashed_name: process-pid + description: Process id. + example: 4242 + flat_name: process.pid + format: string + level: core + name: pid + normalize: [] + short: Process id. + type: long + process.ppid: + dashed_name: process-ppid + description: Parent process' pid. + example: 4241 + flat_name: process.ppid + format: string + level: extended + name: ppid + normalize: [] + short: Parent process' pid. + type: long + process.start: + dashed_name: process-start + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + flat_name: process.start + level: extended + name: start + normalize: [] + short: The time the process started. + type: date + process.thread.id: + dashed_name: process-thread-id + description: Thread ID. + example: 4242 + flat_name: process.thread.id + format: string + level: extended + name: thread.id + normalize: [] + short: Thread ID. + type: long + process.thread.name: + dashed_name: process-thread-name + description: Thread name. + example: thread-0 + flat_name: process.thread.name + ignore_above: 1024 + level: extended + name: thread.name + normalize: [] + short: Thread name. + type: keyword + process.title: + dashed_name: process-title + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + flat_name: process.title + level: extended + multi_fields: + - flat_name: process.title.text + name: text + norms: false + type: text + name: title + normalize: [] + short: Process title. + type: wildcard + process.uptime: + dashed_name: process-uptime + description: Seconds the process has been up. + example: 1325 + flat_name: process.uptime + level: extended + name: uptime + normalize: [] + short: Seconds the process has been up. + type: long + process.working_directory: + dashed_name: process-working-directory + description: The working directory of the process. + example: /home/alice + flat_name: process.working_directory + level: extended + multi_fields: + - flat_name: process.working_directory.text + name: text + norms: false + type: text + name: working_directory + normalize: [] + short: The working directory of the process. + type: wildcard + group: 2 + name: process + nestings: + - process.code_signature + - process.hash + - process.parent + - process.pe + prefix: process. + reusable: + expected: + - as: parent + at: process + full: process.parent + top_level: true + reused_here: + - full: process.code_signature + schema_name: code_signature + short: These fields contain information about binary code signatures. + - full: process.hash + schema_name: hash + short: Hashes, usually file hashes. + - full: process.pe + schema_name: pe + short: These fields contain Windows Portable Executable (PE) metadata. + - full: process.parent + schema_name: process + short: These fields contain information about a process. + short: These fields contain information about a process. + title: Process + type: group +registry: + description: Fields related to Windows Registry operations. + fields: + registry.data.bytes: + dashed_name: registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + short: Original bytes written with base64 encoding. + type: keyword + registry.data.strings: + dashed_name: registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: registry.data.strings + level: core + name: data.strings + normalize: + - array + short: List of strings representing what was written to the registry. + type: wildcard + registry.data.type: + dashed_name: registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + short: Standard registry type for encoding contents + type: keyword + registry.hive: + dashed_name: registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + short: Abbreviated name for the hive. + type: keyword + registry.key: + dashed_name: registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: registry.key + level: core + name: key + normalize: [] + short: Hive-relative path of keys. + type: wildcard + registry.path: + dashed_name: registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: registry.path + level: core + name: path + normalize: [] + short: Full path, including hive, key and value + type: wildcard + registry.value: + dashed_name: registry-value + description: Name of the value written. + example: Debugger + flat_name: registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + short: Name of the value written. + type: keyword + group: 2 + name: registry + prefix: registry. + short: Fields related to Windows Registry operations. + title: Registry + type: group +related: + description: 'This field set is meant to facilitate pivoting around a piece of data. + + Some pieces of information can be seen in many places in an ECS event. To facilitate + searching for them, store an array of all seen values to their corresponding field + in `related.`. + + A concrete example is IP addresses, which can be under host, observer, source, + destination, client, server, and network.forwarded_ip. If you append all IPs to + `related.ip`, you can then search for a given IP trivially, no matter where it + appeared, by querying `related.ip:192.0.2.15`.' + fields: + related.hash: + dashed_name: related-hash + description: All the hashes seen on your event. Populating this field, then + using it to search for hashes can help in situations where you're unsure what + the hash algorithm is (and therefore which key name to search). + flat_name: related.hash + ignore_above: 1024 + level: extended + name: hash + normalize: + - array + short: All the hashes seen on your event. + type: keyword + related.hosts: + dashed_name: related-hosts + description: All hostnames or other host identifiers seen on your event. Example + identifiers include FQDNs, domain names, workstation names, or aliases. + flat_name: related.hosts + ignore_above: 1024 + level: extended + name: hosts + normalize: + - array + short: All the host identifiers seen on your event. + type: keyword + related.ip: + dashed_name: related-ip + description: All of the IPs seen on your event. + flat_name: related.ip + level: extended + name: ip + normalize: + - array + short: All of the IPs seen on your event. + type: ip + related.user: + dashed_name: related-user + description: All the user names seen on your event. + flat_name: related.user + ignore_above: 1024 + level: extended + name: user + normalize: + - array + short: All the user names seen on your event. + type: keyword + group: 2 + name: related + prefix: related. + short: Fields meant to facilitate pivoting around a piece of data. + title: Related + type: group +rule: + description: 'Rule fields are used to capture the specifics of any observer or agent + rules that generate alerts or other notable events. + + Examples of data sources that would populate the rule fields include: network + admission control platforms, network or host IDS/IPS, network firewalls, web application + firewalls, url filters, endpoint detection and response (EDR) systems, etc.' + fields: + rule.author: + dashed_name: rule-author + description: Name, organization, or pseudonym of the author or authors who created + the rule used to generate this event. + example: '["Star-Lord"]' + flat_name: rule.author + ignore_above: 1024 + level: extended + name: author + normalize: + - array + short: Rule author + type: keyword + rule.category: + dashed_name: rule-category + description: A categorization value keyword used by the entity using the rule + for detection of this event. + example: Attempted Information Leak + flat_name: rule.category + ignore_above: 1024 + level: extended + name: category + normalize: [] + short: Rule category + type: keyword + rule.description: + dashed_name: rule-description + description: The description of the rule generating the event. + example: Block requests to public DNS over HTTPS / TLS protocols + flat_name: rule.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + short: Rule description + type: keyword + rule.id: + dashed_name: rule-id + description: A rule ID that is unique within the scope of an agent, observer, + or other entity using the rule for detection of this event. + example: 101 + flat_name: rule.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + short: Rule ID + type: keyword + rule.license: + dashed_name: rule-license + description: Name of the license under which the rule used to generate this + event is made available. + example: Apache 2.0 + flat_name: rule.license + ignore_above: 1024 + level: extended + name: license + normalize: [] + short: Rule license + type: keyword + rule.name: + dashed_name: rule-name + description: The name of the rule or signature generating the event. + example: BLOCK_DNS_over_TLS + flat_name: rule.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Rule name + type: keyword + rule.reference: + dashed_name: rule-reference + description: 'Reference URL to additional information about the rule used to + generate this event. + + The URL can point to the vendor''s documentation about the rule. If that''s + not available, it can also be a link to a more general page describing this + type of alert.' + example: https://en.wikipedia.org/wiki/DNS_over_TLS + flat_name: rule.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + short: Rule reference URL + type: keyword + rule.ruleset: + dashed_name: rule-ruleset + description: Name of the ruleset, policy, group, or parent category in which + the rule used to generate this event is a member. + example: Standard_Protocol_Filters + flat_name: rule.ruleset + ignore_above: 1024 + level: extended + name: ruleset + normalize: [] + short: Rule ruleset + type: keyword + rule.uuid: + dashed_name: rule-uuid + description: A rule ID that is unique within the scope of a set or group of + agents, observers, or other entities using the rule for detection of this + event. + example: 1100110011 + flat_name: rule.uuid + ignore_above: 1024 + level: extended + name: uuid + normalize: [] + short: Rule UUID + type: keyword + rule.version: + dashed_name: rule-version + description: The version / revision of the rule being used for analysis. + example: 1.1 + flat_name: rule.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + short: Rule version + type: keyword + group: 2 + name: rule + prefix: rule. + short: Fields to capture details about rules used to generate alerts or other notable + events. + title: Rule + type: group +server: + description: 'A Server is defined as the responder in a network connection for events + regarding sessions, connections, or bidirectional flow records. + + For TCP events, the server is the receiver of the initial SYN packet(s) of the + TCP connection. For other protocols, the server is generally the responder in + the network transaction. Some systems actually use the term "responder" to refer + the server in TCP connections. The server fields describe details about the system + acting as the server in the network event. Server fields are usually populated + in conjunction with client fields. Server fields are generally not populated for + packet-level events. + + Client / server representations can add semantic context to an exchange, which + is helpful to visualize the data in certain situations. If your context falls + in that category, you should still ensure that source and destination are filled + appropriately.' + fields: + server.address: + dashed_name: server-address + description: 'Some event server addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: server.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + short: Server network address. + type: keyword + server.as.number: + dashed_name: server-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: server.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + server.as.organization.name: + dashed_name: server-as-organization-name + description: Organization name. + example: Google LLC + flat_name: server.as.organization.name + level: extended + multi_fields: + - flat_name: server.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard + server.bytes: + dashed_name: server-bytes + description: Bytes sent from the server to the client. + example: 184 + flat_name: server.bytes + format: bytes + level: core + name: bytes + normalize: [] + short: Bytes sent from the server to the client. + type: long + server.domain: + dashed_name: server-domain + description: Server domain. + flat_name: server.domain + level: core + name: domain + normalize: [] + short: Server domain. + type: wildcard + server.geo.city_name: + dashed_name: server-geo-city-name + description: City name. + example: Montreal + flat_name: server.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + server.geo.continent_name: + dashed_name: server-geo-continent-name + description: Name of the continent. + example: North America + flat_name: server.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + server.geo.country_iso_code: + dashed_name: server-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: server.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + server.geo.country_name: + dashed_name: server-geo-country-name + description: Country name. + example: Canada + flat_name: server.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + server.geo.location: + dashed_name: server-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: server.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + server.geo.name: + dashed_name: server-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: server.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard + server.geo.region_iso_code: + dashed_name: server-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: server.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + server.geo.region_name: + dashed_name: server-geo-region-name + description: Region name. + example: Quebec + flat_name: server.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + server.ip: + dashed_name: server-ip + description: IP address of the server (IPv4 or IPv6). + flat_name: server.ip + level: core + name: ip + normalize: [] + short: IP address of the server. + type: ip + server.mac: + dashed_name: server-mac + description: MAC address of the server. + flat_name: server.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + short: MAC address of the server. + type: keyword + server.nat.ip: + dashed_name: server-nat-ip + description: 'Translated ip of destination based NAT sessions (e.g. internet + to private DMZ) + + Typically used with load balancers, firewalls, or routers.' + flat_name: server.nat.ip + level: extended + name: nat.ip + normalize: [] + short: Server NAT ip + type: ip + server.nat.port: + dashed_name: server-nat-port + description: 'Translated port of destination based NAT sessions (e.g. internet + to private DMZ) + + Typically used with load balancers, firewalls, or routers.' + flat_name: server.nat.port + format: string + level: extended + name: nat.port + normalize: [] + short: Server NAT port + type: long + server.packets: + dashed_name: server-packets + description: Packets sent from the server to the client. + example: 12 + flat_name: server.packets + level: core + name: packets + normalize: [] + short: Packets sent from the server to the client. + type: long + server.port: + dashed_name: server-port + description: Port of the server. + flat_name: server.port + format: string + level: core + name: port + normalize: [] + short: Port of the server. + type: long + server.registered_domain: + dashed_name: server-registered-domain + description: 'The highest registered server domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: server.registered_domain + level: extended + name: registered_domain + normalize: [] + short: The highest registered server domain, stripped of the subdomain. + type: wildcard + server.subdomain: + dashed_name: server-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: server.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword + server.top_level_domain: + dashed_name: server-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: server.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + short: The effective top level domain (com, org, net, co.uk). + type: keyword + server.user.domain: + dashed_name: server-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: server.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + server.user.email: + dashed_name: server-user-email + description: User email address. + flat_name: server.user.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard + server.user.full_name: + dashed_name: server-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: server.user.full_name + level: extended + multi_fields: + - flat_name: server.user.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard + server.user.group.domain: + dashed_name: server-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: server.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + server.user.group.id: + dashed_name: server-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: server.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + server.user.group.name: + dashed_name: server-user-group-name + description: Name of the group. + flat_name: server.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + server.user.hash: + dashed_name: server-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: server.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + server.user.id: + dashed_name: server-user-id + description: Unique identifier of the user. + flat_name: server.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + server.user.name: + dashed_name: server-user-name + description: Short name or login of the user. + example: albert + flat_name: server.user.name + level: core + multi_fields: + - flat_name: server.user.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard + server.user.roles: + dashed_name: server-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: server.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword + group: 2 + name: server + nestings: + - server.as + - server.geo + - server.user + prefix: server. + reused_here: + - full: server.as + schema_name: as + short: Fields describing an Autonomous System (Internet routing prefix). + - full: server.geo + schema_name: geo + short: Fields describing a location. + - full: server.user + schema_name: user + short: Fields to describe the user relevant to the event. + short: Fields about the server side of a network connection, used with client. + title: Server + type: group +service: + description: 'The service fields describe the service for or from which the data + was collected. + + These fields help you find and correlate logs for a specific service and version.' + fields: + service.ephemeral_id: + dashed_name: service-ephemeral-id + description: 'Ephemeral identifier of this service (if one exists). + + This id normally changes across restarts, but `service.id` does not.' + example: 8a4f500f + flat_name: service.ephemeral_id + ignore_above: 1024 + level: extended + name: ephemeral_id + normalize: [] + short: Ephemeral identifier of this service. + type: keyword + service.id: + dashed_name: service-id + description: 'Unique identifier of the running service. If the service is comprised + of many nodes, the `service.id` should be the same for all nodes. + + This id should uniquely identify the service. This makes it possible to correlate + logs and metrics for one specific service, no matter which particular node + emitted the event. + + Note that if you need to see the events from one specific host of the service, + you should filter on that `host.name` or `host.id` instead.' + example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + flat_name: service.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique identifier of the running service. + type: keyword + service.name: + dashed_name: service-name + description: 'Name of the service data is collected from. + + The name of the service is normally user given. This allows for distributed + services that run on multiple hosts to correlate the related instances based + on the name. + + In the case of Elasticsearch the `service.name` could contain the cluster + name. For Beats the `service.name` is by default a copy of the `service.type` + field if no name is specified.' + example: elasticsearch-metrics + flat_name: service.name + ignore_above: 1024 + level: core + name: name + normalize: [] + short: Name of the service. + type: keyword + service.node.name: + dashed_name: service-node-name + description: 'Name of a service node. + + This allows for two nodes of the same service running on the same host to + be differentiated. Therefore, `service.node.name` should typically be unique + across nodes of a given service. + + In the case of Elasticsearch, the `service.node.name` could contain the unique + node name within the Elasticsearch cluster. In cases where the service doesn''t + have the concept of a node name, the host name or container name can be used + to distinguish running instances that make up this service. If those do not + provide uniqueness (e.g. multiple instances of the service running on the + same host) - the node name can be manually set.' + example: instance-0000000016 + flat_name: service.node.name + ignore_above: 1024 + level: extended + name: node.name + normalize: [] + short: Name of the service node. + type: keyword + service.state: + dashed_name: service-state + description: Current state of the service. + flat_name: service.state + ignore_above: 1024 + level: core + name: state + normalize: [] + short: Current state of the service. + type: keyword + service.type: + dashed_name: service-type + description: 'The type of the service data is collected from. + + The type can be used to group and correlate logs and metrics from one service + type. + + Example: If logs or metrics are collected from Elasticsearch, `service.type` + would be `elasticsearch`.' + example: elasticsearch + flat_name: service.type + ignore_above: 1024 + level: core + name: type + normalize: [] + short: The type of the service. + type: keyword + service.version: + dashed_name: service-version + description: 'Version of the service the data was collected from. + + This allows to look at a data set only for a specific version of a service.' + example: 3.2.4 + flat_name: service.version + ignore_above: 1024 + level: core + name: version + normalize: [] + short: Version of the service. + type: keyword + group: 2 + name: service + prefix: service. + short: Fields describing the service for or from which the data was collected. + title: Service + type: group +source: + description: 'Source fields capture details about the sender of a network exchange/packet. + These fields are populated from a network event, packet, or other event containing + details of a network transaction. + + Source fields are usually populated in conjunction with destination fields. The + source and destination fields are considered the baseline and should always be + filled if an event contains source and destination details from a network transaction. + If the event also contains identification of the client and server roles, then + the client and server fields should also be populated.' + fields: + source.address: + dashed_name: source-address + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + flat_name: source.address + ignore_above: 1024 + level: extended + name: address + normalize: [] + short: Source network address. + type: keyword + source.as.number: + dashed_name: source-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: source.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + source.as.organization.name: + dashed_name: source-as-organization-name + description: Organization name. + example: Google LLC + flat_name: source.as.organization.name + level: extended + multi_fields: + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard + source.bytes: + dashed_name: source-bytes + description: Bytes sent from the source to the destination. + example: 184 + flat_name: source.bytes + format: bytes + level: core + name: bytes + normalize: [] + short: Bytes sent from the source to the destination. + type: long + source.domain: + dashed_name: source-domain + description: Source domain. + flat_name: source.domain + level: core + name: domain + normalize: [] + short: Source domain. + type: wildcard + source.geo.city_name: + dashed_name: source-geo-city-name + description: City name. + example: Montreal + flat_name: source.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + source.geo.continent_name: + dashed_name: source-geo-continent-name + description: Name of the continent. + example: North America + flat_name: source.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + source.geo.country_iso_code: + dashed_name: source-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: source.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + source.geo.country_name: + dashed_name: source-geo-country-name + description: Country name. + example: Canada + flat_name: source.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + source.geo.location: + dashed_name: source-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: source.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + source.geo.name: + dashed_name: source-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: source.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard + source.geo.region_iso_code: + dashed_name: source-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: source.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + source.geo.region_name: + dashed_name: source-geo-region-name + description: Region name. + example: Quebec + flat_name: source.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + source.ip: + dashed_name: source-ip + description: IP address of the source (IPv4 or IPv6). + flat_name: source.ip + level: core + name: ip + normalize: [] + short: IP address of the source. + type: ip + source.mac: + dashed_name: source-mac + description: MAC address of the source. + flat_name: source.mac + ignore_above: 1024 + level: core + name: mac + normalize: [] + short: MAC address of the source. + type: keyword + source.nat.ip: + dashed_name: source-nat-ip + description: 'Translated ip of source based NAT sessions (e.g. internal client + to internet) + + Typically connections traversing load balancers, firewalls, or routers.' + flat_name: source.nat.ip + level: extended + name: nat.ip + normalize: [] + short: Source NAT ip + type: ip + source.nat.port: + dashed_name: source-nat-port + description: 'Translated port of source based NAT sessions. (e.g. internal client + to internet) + + Typically used with load balancers, firewalls, or routers.' + flat_name: source.nat.port + format: string + level: extended + name: nat.port + normalize: [] + short: Source NAT port + type: long + source.packets: + dashed_name: source-packets + description: Packets sent from the source to the destination. + example: 12 + flat_name: source.packets + level: core + name: packets + normalize: [] + short: Packets sent from the source to the destination. + type: long + source.port: + dashed_name: source-port + description: Port of the source. + flat_name: source.port + format: string + level: core + name: port + normalize: [] + short: Port of the source. + type: long + source.registered_domain: + dashed_name: source-registered-domain + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: source.registered_domain + level: extended + name: registered_domain + normalize: [] + short: The highest registered source domain, stripped of the subdomain. + type: wildcard + source.subdomain: + dashed_name: source-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: source.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword + source.top_level_domain: + dashed_name: source-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: source.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + short: The effective top level domain (com, org, net, co.uk). + type: keyword + source.user.domain: + dashed_name: source-user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: source.user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + source.user.email: + dashed_name: source-user-email + description: User email address. + flat_name: source.user.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard + source.user.full_name: + dashed_name: source-user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: source.user.full_name + level: extended + multi_fields: + - flat_name: source.user.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard + source.user.group.domain: + dashed_name: source-user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: source.user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + source.user.group.id: + dashed_name: source-user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: source.user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + source.user.group.name: + dashed_name: source-user-group-name + description: Name of the group. + flat_name: source.user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + source.user.hash: + dashed_name: source-user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: source.user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + source.user.id: + dashed_name: source-user-id + description: Unique identifier of the user. + flat_name: source.user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + source.user.name: + dashed_name: source-user-name + description: Short name or login of the user. + example: albert + flat_name: source.user.name + level: core + multi_fields: + - flat_name: source.user.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard + source.user.roles: + dashed_name: source-user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: source.user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword + group: 2 + name: source + nestings: + - source.as + - source.geo + - source.user + prefix: source. + reused_here: + - full: source.as + schema_name: as + short: Fields describing an Autonomous System (Internet routing prefix). + - full: source.geo + schema_name: geo + short: Fields describing a location. + - full: source.user + schema_name: user + short: Fields to describe the user relevant to the event. + short: Fields about the source side of a network connection, used with destination. + title: Source + type: group +threat: + description: "Fields to classify events and alerts according to a threat taxonomy\ + \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\ + \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\ + \ The threat.tactic.* are meant to capture the high level category of the threat\ + \ (e.g. \"impact\"). The threat.technique.* fields are meant to capture which\ + \ kind of approach is used by this detected threat, to accomplish the goal (e.g.\ + \ \"endpoint denial of service\")." + fields: + threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework + ignore_above: 1024 + level: extended + name: framework + normalize: [] + short: Threat classification framework. + type: keyword + threat.tactic.id: + dashed_name: threat-tactic-id + description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ + \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" + example: TA0002 + flat_name: threat.tactic.id + ignore_above: 1024 + level: extended + name: tactic.id + normalize: + - array + short: Threat tactic id. + type: keyword + threat.tactic.name: + dashed_name: threat-tactic-name + description: "Name of the type of tactic used by this threat. You can use a\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" + example: Execution + flat_name: threat.tactic.name + ignore_above: 1024 + level: extended + name: tactic.name + normalize: + - array + short: Threat tactic. + type: keyword + threat.tactic.reference: + dashed_name: threat-tactic-reference + description: "The reference url of tactic used by this threat. You can use a\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ + \ )" + example: https://attack.mitre.org/tactics/TA0002/ + flat_name: threat.tactic.reference + ignore_above: 1024 + level: extended + name: tactic.reference + normalize: + - array + short: Threat tactic URL reference. + type: keyword + threat.technique.id: + dashed_name: threat-technique-id + description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: T1059 + flat_name: threat.technique.id + ignore_above: 1024 + level: extended + name: technique.id + normalize: + - array + short: Threat technique id. + type: keyword + threat.technique.name: + dashed_name: threat-technique-name + description: "The name of technique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: Command and Scripting Interpreter + flat_name: threat.technique.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.technique.name.text + name: text + norms: false + type: text + name: technique.name + normalize: + - array + short: Threat technique name. + type: keyword + threat.technique.reference: + dashed_name: threat-technique-reference + description: "The reference url of technique used by this threat. You can use\ + \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: https://attack.mitre.org/techniques/T1059/ + flat_name: threat.technique.reference + ignore_above: 1024 + level: extended + name: technique.reference + normalize: + - array + short: Threat technique URL reference. + type: keyword + threat.technique.subtechnique.id: + dashed_name: threat-technique-subtechnique-id + description: "The full id of subtechnique used by this threat. You can use a\ + \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: T1059.001 + flat_name: threat.technique.subtechnique.id + ignore_above: 1024 + level: extended + name: technique.subtechnique.id + normalize: + - array + short: Threat subtechnique id. + type: keyword + threat.technique.subtechnique.name: + dashed_name: threat-technique-subtechnique-name + description: "The name of subtechnique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: PowerShell + flat_name: threat.technique.subtechnique.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.technique.subtechnique.name.text + name: text + norms: false + type: text + name: technique.subtechnique.name + normalize: + - array + short: Threat subtechnique name. + type: keyword + threat.technique.subtechnique.reference: + dashed_name: threat-technique-subtechnique-reference + description: "The reference url of subtechnique used by this threat. You can\ + \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: https://attack.mitre.org/techniques/T1059/001/ + flat_name: threat.technique.subtechnique.reference + ignore_above: 1024 + level: extended + name: technique.subtechnique.reference + normalize: + - array + short: Threat subtechnique URL reference. + type: keyword + group: 2 + name: threat + prefix: threat. + short: Fields to classify events and alerts according to a threat taxonomy. + title: Threat + type: group +tls: + description: Fields related to a TLS connection. These fields focus on the TLS protocol + itself and intentionally avoids in-depth analysis of the related x.509 certificate + files. + fields: + tls.cipher: + dashed_name: tls-cipher + description: String indicating the cipher used during the current connection. + example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + flat_name: tls.cipher + ignore_above: 1024 + level: extended + name: cipher + normalize: [] + short: String indicating the cipher used during the current connection. + type: keyword + tls.client.certificate: + dashed_name: tls-client-certificate + description: PEM-encoded stand-alone certificate offered by the client. This + is usually mutually-exclusive of `client.certificate_chain` since this value + also exists in that list. + example: MII... + flat_name: tls.client.certificate + ignore_above: 1024 + level: extended + name: client.certificate + normalize: [] + short: PEM-encoded stand-alone certificate offered by the client. + type: keyword + tls.client.certificate_chain: + dashed_name: tls-client-certificate-chain + description: Array of PEM-encoded certificates that make up the certificate + chain offered by the client. This is usually mutually-exclusive of `client.certificate` + since that value should be the first certificate in the chain. + example: '["MII...", "MII..."]' + flat_name: tls.client.certificate_chain + ignore_above: 1024 + level: extended + name: client.certificate_chain + normalize: + - array + short: Array of PEM-encoded certificates that make up the certificate chain + offered by the client. + type: keyword + tls.client.hash.md5: + dashed_name: tls-client-hash-md5 + description: Certificate fingerprint using the MD5 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + flat_name: tls.client.hash.md5 + ignore_above: 1024 + level: extended + name: client.hash.md5 + normalize: [] + short: Certificate fingerprint using the MD5 digest of DER-encoded version of + certificate offered by the client. + type: keyword + tls.client.hash.sha1: + dashed_name: tls-client-hash-sha1 + description: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the client. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 9E393D93138888D288266C2D915214D1D1CCEB2A + flat_name: tls.client.hash.sha1 + ignore_above: 1024 + level: extended + name: client.hash.sha1 + normalize: [] + short: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the client. + type: keyword + tls.client.hash.sha256: + dashed_name: tls-client-hash-sha256 + description: Certificate fingerprint using the SHA256 digest of DER-encoded + version of certificate offered by the client. For consistency with other hash + values, this value should be formatted as an uppercase hash. + example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + flat_name: tls.client.hash.sha256 + ignore_above: 1024 + level: extended + name: client.hash.sha256 + normalize: [] + short: Certificate fingerprint using the SHA256 digest of DER-encoded version + of certificate offered by the client. + type: keyword + tls.client.issuer: + dashed_name: tls-client-issuer + description: Distinguished name of subject of the issuer of the x.509 certificate + presented by the client. + example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + flat_name: tls.client.issuer + level: extended + name: client.issuer + normalize: [] + short: Distinguished name of subject of the issuer of the x.509 certificate + presented by the client. + type: wildcard + tls.client.ja3: + dashed_name: tls-client-ja3 + description: A hash that identifies clients based on how they perform an SSL/TLS + handshake. + example: d4e5b18d6b55c71272893221c96ba240 + flat_name: tls.client.ja3 + ignore_above: 1024 + level: extended + name: client.ja3 + normalize: [] + short: A hash that identifies clients based on how they perform an SSL/TLS handshake. + type: keyword + tls.client.not_after: + dashed_name: tls-client-not-after + description: Date/Time indicating when client certificate is no longer considered + valid. + example: '2021-01-01T00:00:00.000Z' + flat_name: tls.client.not_after + level: extended + name: client.not_after + normalize: [] + short: Date/Time indicating when client certificate is no longer considered + valid. + type: date + tls.client.not_before: + dashed_name: tls-client-not-before + description: Date/Time indicating when client certificate is first considered + valid. + example: '1970-01-01T00:00:00.000Z' + flat_name: tls.client.not_before + level: extended + name: client.not_before + normalize: [] + short: Date/Time indicating when client certificate is first considered valid. + type: date + tls.client.server_name: + dashed_name: tls-client-server-name + description: Also called an SNI, this tells the server which hostname to which + the client is attempting to connect to. When this value is available, it should + get copied to `destination.domain`. + example: www.elastic.co + flat_name: tls.client.server_name + ignore_above: 1024 + level: extended + name: client.server_name + normalize: [] + short: Hostname the client is trying to connect to. Also called the SNI. + type: keyword + tls.client.subject: + dashed_name: tls-client-subject + description: Distinguished name of subject of the x.509 certificate presented + by the client. + example: CN=myclient, OU=Documentation Team, DC=example, DC=com + flat_name: tls.client.subject + level: extended + name: client.subject + normalize: [] + short: Distinguished name of subject of the x.509 certificate presented by the + client. + type: wildcard + tls.client.supported_ciphers: + dashed_name: tls-client-supported-ciphers + description: Array of ciphers offered by the client during the client hello. + example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "..."]' + flat_name: tls.client.supported_ciphers + ignore_above: 1024 + level: extended + name: client.supported_ciphers + normalize: + - array + short: Array of ciphers offered by the client during the client hello. + type: keyword + tls.client.x509.alternative_names: + dashed_name: tls-client-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: tls.client.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword + tls.client.x509.issuer.common_name: + dashed_name: tls-client-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: tls.client.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword + tls.client.x509.issuer.country: + dashed_name: tls-client-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: tls.client.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword + tls.client.x509.issuer.distinguished_name: + dashed_name: tls-client-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: tls.client.x509.issuer.distinguished_name + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard + tls.client.x509.issuer.locality: + dashed_name: tls-client-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: tls.client.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + tls.client.x509.issuer.organization: + dashed_name: tls-client-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: tls.client.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword + tls.client.x509.issuer.organizational_unit: + dashed_name: tls-client-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: tls.client.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + tls.client.x509.issuer.state_or_province: + dashed_name: tls-client-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.client.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + tls.client.x509.not_after: + dashed_name: tls-client-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: tls.client.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date + tls.client.x509.not_before: + dashed_name: tls-client-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: tls.client.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + tls.client.x509.public_key_algorithm: + dashed_name: tls-client-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: tls.client.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword + tls.client.x509.public_key_curve: + dashed_name: tls-client-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: tls.client.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + tls.client.x509.public_key_exponent: + dashed_name: tls-client-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: tls.client.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + tls.client.x509.public_key_size: + dashed_name: tls-client-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: tls.client.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + tls.client.x509.serial_number: + dashed_name: tls-client-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: tls.client.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword + tls.client.x509.signature_algorithm: + dashed_name: tls-client-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: tls.client.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. + type: keyword + tls.client.x509.subject.common_name: + dashed_name: tls-client-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: tls.client.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword + tls.client.x509.subject.country: + dashed_name: tls-client-x509-subject-country + description: List of country (C) code + example: US + flat_name: tls.client.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword + tls.client.x509.subject.distinguished_name: + dashed_name: tls-client-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: tls.client.x509.subject.distinguished_name + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: wildcard + tls.client.x509.subject.locality: + dashed_name: tls-client-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: tls.client.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + tls.client.x509.subject.organization: + dashed_name: tls-client-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: tls.client.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword + tls.client.x509.subject.organizational_unit: + dashed_name: tls-client-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: tls.client.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword + tls.client.x509.subject.state_or_province: + dashed_name: tls-client-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.client.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + tls.client.x509.version_number: + dashed_name: tls-client-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: tls.client.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword + tls.curve: + dashed_name: tls-curve + description: String indicating the curve used for the given cipher, when applicable. + example: secp256r1 + flat_name: tls.curve + ignore_above: 1024 + level: extended + name: curve + normalize: [] + short: String indicating the curve used for the given cipher, when applicable. + type: keyword + tls.established: + dashed_name: tls-established + description: Boolean flag indicating if the TLS negotiation was successful and + transitioned to an encrypted tunnel. + flat_name: tls.established + level: extended + name: established + normalize: [] + short: Boolean flag indicating if the TLS negotiation was successful and transitioned + to an encrypted tunnel. + type: boolean + tls.next_protocol: + dashed_name: tls-next-protocol + description: String indicating the protocol being tunneled. Per the values in + the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), + this string should be lower case. + example: http/1.1 + flat_name: tls.next_protocol + ignore_above: 1024 + level: extended + name: next_protocol + normalize: [] + short: String indicating the protocol being tunneled. + type: keyword + tls.resumed: + dashed_name: tls-resumed + description: Boolean flag indicating if this TLS connection was resumed from + an existing TLS negotiation. + flat_name: tls.resumed + level: extended + name: resumed + normalize: [] + short: Boolean flag indicating if this TLS connection was resumed from an existing + TLS negotiation. + type: boolean + tls.server.certificate: + dashed_name: tls-server-certificate + description: PEM-encoded stand-alone certificate offered by the server. This + is usually mutually-exclusive of `server.certificate_chain` since this value + also exists in that list. + example: MII... + flat_name: tls.server.certificate + ignore_above: 1024 + level: extended + name: server.certificate + normalize: [] + short: PEM-encoded stand-alone certificate offered by the server. + type: keyword + tls.server.certificate_chain: + dashed_name: tls-server-certificate-chain + description: Array of PEM-encoded certificates that make up the certificate + chain offered by the server. This is usually mutually-exclusive of `server.certificate` + since that value should be the first certificate in the chain. + example: '["MII...", "MII..."]' + flat_name: tls.server.certificate_chain + ignore_above: 1024 + level: extended + name: server.certificate_chain + normalize: + - array + short: Array of PEM-encoded certificates that make up the certificate chain + offered by the server. + type: keyword + tls.server.hash.md5: + dashed_name: tls-server-hash-md5 + description: Certificate fingerprint using the MD5 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + flat_name: tls.server.hash.md5 + ignore_above: 1024 + level: extended + name: server.hash.md5 + normalize: [] + short: Certificate fingerprint using the MD5 digest of DER-encoded version of + certificate offered by the server. + type: keyword + tls.server.hash.sha1: + dashed_name: tls-server-hash-sha1 + description: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the server. For consistency with other hash values, + this value should be formatted as an uppercase hash. + example: 9E393D93138888D288266C2D915214D1D1CCEB2A + flat_name: tls.server.hash.sha1 + ignore_above: 1024 + level: extended + name: server.hash.sha1 + normalize: [] + short: Certificate fingerprint using the SHA1 digest of DER-encoded version + of certificate offered by the server. + type: keyword + tls.server.hash.sha256: + dashed_name: tls-server-hash-sha256 + description: Certificate fingerprint using the SHA256 digest of DER-encoded + version of certificate offered by the server. For consistency with other hash + values, this value should be formatted as an uppercase hash. + example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + flat_name: tls.server.hash.sha256 + ignore_above: 1024 + level: extended + name: server.hash.sha256 + normalize: [] + short: Certificate fingerprint using the SHA256 digest of DER-encoded version + of certificate offered by the server. + type: keyword + tls.server.issuer: + dashed_name: tls-server-issuer + description: Subject of the issuer of the x.509 certificate presented by the + server. + example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + flat_name: tls.server.issuer + level: extended + name: server.issuer + normalize: [] + short: Subject of the issuer of the x.509 certificate presented by the server. + type: wildcard + tls.server.ja3s: + dashed_name: tls-server-ja3s + description: A hash that identifies servers based on how they perform an SSL/TLS + handshake. + example: 394441ab65754e2207b1e1b457b3641d + flat_name: tls.server.ja3s + ignore_above: 1024 + level: extended + name: server.ja3s + normalize: [] + short: A hash that identifies servers based on how they perform an SSL/TLS handshake. + type: keyword + tls.server.not_after: + dashed_name: tls-server-not-after + description: Timestamp indicating when server certificate is no longer considered + valid. + example: '2021-01-01T00:00:00.000Z' + flat_name: tls.server.not_after + level: extended + name: server.not_after + normalize: [] + short: Timestamp indicating when server certificate is no longer considered + valid. + type: date + tls.server.not_before: + dashed_name: tls-server-not-before + description: Timestamp indicating when server certificate is first considered + valid. + example: '1970-01-01T00:00:00.000Z' + flat_name: tls.server.not_before + level: extended + name: server.not_before + normalize: [] + short: Timestamp indicating when server certificate is first considered valid. + type: date + tls.server.subject: + dashed_name: tls-server-subject + description: Subject of the x.509 certificate presented by the server. + example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + flat_name: tls.server.subject + level: extended + name: server.subject + normalize: [] + short: Subject of the x.509 certificate presented by the server. + type: wildcard + tls.server.x509.alternative_names: + dashed_name: tls-server-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: tls.server.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword + tls.server.x509.issuer.common_name: + dashed_name: tls-server-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: tls.server.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword + tls.server.x509.issuer.country: + dashed_name: tls-server-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: tls.server.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword + tls.server.x509.issuer.distinguished_name: + dashed_name: tls-server-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: tls.server.x509.issuer.distinguished_name + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard + tls.server.x509.issuer.locality: + dashed_name: tls-server-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: tls.server.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + tls.server.x509.issuer.organization: + dashed_name: tls-server-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: tls.server.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword + tls.server.x509.issuer.organizational_unit: + dashed_name: tls-server-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: tls.server.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + tls.server.x509.issuer.state_or_province: + dashed_name: tls-server-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.server.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + tls.server.x509.not_after: + dashed_name: tls-server-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: tls.server.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date + tls.server.x509.not_before: + dashed_name: tls-server-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: tls.server.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + tls.server.x509.public_key_algorithm: + dashed_name: tls-server-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: tls.server.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword + tls.server.x509.public_key_curve: + dashed_name: tls-server-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: tls.server.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + tls.server.x509.public_key_exponent: + dashed_name: tls-server-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: tls.server.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + tls.server.x509.public_key_size: + dashed_name: tls-server-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: tls.server.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + tls.server.x509.serial_number: + dashed_name: tls-server-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: tls.server.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword + tls.server.x509.signature_algorithm: + dashed_name: tls-server-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: tls.server.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. + type: keyword + tls.server.x509.subject.common_name: + dashed_name: tls-server-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: tls.server.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword + tls.server.x509.subject.country: + dashed_name: tls-server-x509-subject-country + description: List of country (C) code + example: US + flat_name: tls.server.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword + tls.server.x509.subject.distinguished_name: + dashed_name: tls-server-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: tls.server.x509.subject.distinguished_name + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: wildcard + tls.server.x509.subject.locality: + dashed_name: tls-server-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: tls.server.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + tls.server.x509.subject.organization: + dashed_name: tls-server-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: tls.server.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword + tls.server.x509.subject.organizational_unit: + dashed_name: tls-server-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: tls.server.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword + tls.server.x509.subject.state_or_province: + dashed_name: tls-server-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.server.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + tls.server.x509.version_number: + dashed_name: tls-server-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: tls.server.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword + tls.version: + dashed_name: tls-version + description: Numeric part of the version parsed from the original string. + example: '1.2' + flat_name: tls.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + short: Numeric part of the version parsed from the original string. + type: keyword + tls.version_protocol: + dashed_name: tls-version-protocol + description: Normalized lowercase protocol name parsed from original string. + example: tls + flat_name: tls.version_protocol + ignore_above: 1024 + level: extended + name: version_protocol + normalize: [] + short: Normalized lowercase protocol name parsed from original string. + type: keyword + group: 2 + name: tls + nestings: + - tls.client.x509 + - tls.server.x509 + prefix: tls. + reused_here: + - full: tls.client.x509 + schema_name: x509 + short: These fields contain x509 certificate metadata. + - full: tls.server.x509 + schema_name: x509 + short: These fields contain x509 certificate metadata. + short: Fields describing a TLS connection. + title: TLS + type: group +tracing: + description: Distributed tracing makes it possible to analyze performance throughout + a microservice architecture all in one view. This is accomplished by tracing all + of the requests - from the initial web request in the front-end service - to queries + made through multiple back-end services. + fields: + span.id: + dashed_name: span-id + description: 'Unique identifier of the span within the scope of its trace. + + A span represents an operation within a transaction, such as a request to + another service, or a database query.' + example: 3ff9a8981b7ccd5a + flat_name: span.id + ignore_above: 1024 + level: extended + name: span.id + normalize: [] + short: Unique identifier of the span within the scope of its trace. + type: keyword + trace.id: + dashed_name: trace-id + description: 'Unique identifier of the trace. + + A trace groups multiple events like transactions that belong together. For + example, a user request handled by multiple inter-connected services.' + example: 4bf92f3577b34da6a3ce929d0e0e4736 + flat_name: trace.id + ignore_above: 1024 + level: extended + name: trace.id + normalize: [] + short: Unique identifier of the trace. + type: keyword + transaction.id: + dashed_name: transaction-id + description: 'Unique identifier of the transaction within the scope of its trace. + + A transaction is the highest level of work measured within a service, such + as a request to a server.' + example: 00f067aa0ba902b7 + flat_name: transaction.id + ignore_above: 1024 + level: extended + name: transaction.id + normalize: [] + short: Unique identifier of the transaction within the scope of its trace. + type: keyword + group: 2 + name: tracing + prefix: '' + root: true + short: Fields related to distributed tracing. + title: Tracing + type: group +url: + description: URL fields provide support for complete or partial URLs, and supports + the breaking down into scheme, domain, path, and so on. + fields: + url.domain: + dashed_name: url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field.' + example: www.elastic.co + flat_name: url.domain + level: extended + name: domain + normalize: [] + short: Domain of the url. + type: wildcard + url.extension: + dashed_name: url-extension + description: 'The field contains the file extension from the original request + url. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png".' + example: png + flat_name: url.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + short: File extension from the original request url. + type: keyword + url.fragment: + dashed_name: url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: url.fragment + ignore_above: 1024 + level: extended + name: fragment + normalize: [] + short: Portion of the url after the `#`. + type: keyword + url.full: + dashed_name: url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: url.full + level: extended + multi_fields: + - flat_name: url.full.text + name: text + norms: false + type: text + name: full + normalize: [] + short: Full unparsed URL. + type: wildcard + url.original: + dashed_name: url-original + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: url.original + level: extended + multi_fields: + - flat_name: url.original.text + name: text + norms: false + type: text + name: original + normalize: [] + short: Unmodified original url as seen in the event source. + type: wildcard + url.password: + dashed_name: url-password + description: Password of the request. + flat_name: url.password + ignore_above: 1024 + level: extended + name: password + normalize: [] + short: Password of the request. + type: keyword + url.path: + dashed_name: url-path + description: Path of the request, such as "/search". + flat_name: url.path + level: extended + name: path + normalize: [] + short: Path of the request, such as "/search". + type: wildcard + url.port: + dashed_name: url-port + description: Port of the request, such as 443. + example: 443 + flat_name: url.port + format: string + level: extended + name: port + normalize: [] + short: Port of the request, such as 443. + type: long + url.query: + dashed_name: url-query + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' + flat_name: url.query + ignore_above: 1024 + level: extended + name: query + normalize: [] + short: Query string of the request. + type: keyword + url.registered_domain: + dashed_name: url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: url.registered_domain + level: extended + name: registered_domain + normalize: [] + short: The highest registered url domain, stripped of the subdomain. + type: wildcard + url.scheme: + dashed_name: url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: url.scheme + ignore_above: 1024 + level: extended + name: scheme + normalize: [] + short: Scheme of the url. + type: keyword + url.subdomain: + dashed_name: url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + short: The subdomain of the domain. + type: keyword + url.top_level_domain: + dashed_name: url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: url.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + short: The effective top level domain (com, org, net, co.uk). + type: keyword + url.username: + dashed_name: url-username + description: Username of the request. + flat_name: url.username + ignore_above: 1024 + level: extended + name: username + normalize: [] + short: Username of the request. + type: keyword + group: 2 + name: url + prefix: url. + short: Fields that let you store URLs in various forms. + title: URL + type: group +user: + description: 'The user fields describe information about the user that is relevant + to the event. + + Fields can have one entry or multiple entries. If a user has more than one id, + provide an array that includes all of them.' + fields: + user.changes.domain: + dashed_name: user-changes-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.changes.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + user.changes.email: + dashed_name: user-changes-email + description: User email address. + flat_name: user.changes.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard + user.changes.full_name: + dashed_name: user-changes-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.changes.full_name + level: extended + multi_fields: + - flat_name: user.changes.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard + user.changes.group.domain: + dashed_name: user-changes-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.changes.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + user.changes.group.id: + dashed_name: user-changes-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.changes.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + user.changes.group.name: + dashed_name: user-changes-group-name + description: Name of the group. + flat_name: user.changes.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + user.changes.hash: + dashed_name: user-changes-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.changes.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + user.changes.id: + dashed_name: user-changes-id + description: Unique identifier of the user. + flat_name: user.changes.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + user.changes.name: + dashed_name: user-changes-name + description: Short name or login of the user. + example: albert + flat_name: user.changes.name + level: core + multi_fields: + - flat_name: user.changes.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard + user.changes.roles: + dashed_name: user-changes-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: user.changes.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword + user.domain: + dashed_name: user-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + short: Name of the directory the user is a member of. + type: keyword + user.effective.domain: + dashed_name: user-effective-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.effective.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + user.effective.email: + dashed_name: user-effective-email + description: User email address. + flat_name: user.effective.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard + user.effective.full_name: + dashed_name: user-effective-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.effective.full_name + level: extended + multi_fields: + - flat_name: user.effective.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard + user.effective.group.domain: + dashed_name: user-effective-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.effective.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + user.effective.group.id: + dashed_name: user-effective-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.effective.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + user.effective.group.name: + dashed_name: user-effective-group-name + description: Name of the group. + flat_name: user.effective.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + user.effective.hash: + dashed_name: user-effective-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.effective.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + user.effective.id: + dashed_name: user-effective-id + description: Unique identifier of the user. + flat_name: user.effective.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + user.effective.name: + dashed_name: user-effective-name + description: Short name or login of the user. + example: albert + flat_name: user.effective.name + level: core + multi_fields: + - flat_name: user.effective.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard + user.effective.roles: + dashed_name: user-effective-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: user.effective.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword + user.email: + dashed_name: user-email + description: User email address. + flat_name: user.email + level: extended + name: email + normalize: [] + short: User email address. + type: wildcard + user.full_name: + dashed_name: user-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.full_name + level: extended + multi_fields: + - flat_name: user.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + short: User's full name, if available. + type: wildcard + user.group.domain: + dashed_name: user-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + user.group.id: + dashed_name: user-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + user.group.name: + dashed_name: user-group-name + description: Name of the group. + flat_name: user.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + user.hash: + dashed_name: user-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + user.id: + dashed_name: user-id + description: Unique identifier of the user. + flat_name: user.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique identifier of the user. + type: keyword + user.name: + dashed_name: user-name + description: Short name or login of the user. + example: albert + flat_name: user.name + level: core + multi_fields: + - flat_name: user.name.text + name: text + norms: false + type: text + name: name + normalize: [] + short: Short name or login of the user. + type: wildcard + user.roles: + dashed_name: user-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: user.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + short: Array of user roles at the time of the event. + type: keyword + user.target.domain: + dashed_name: user-target-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.target.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + user.target.email: + dashed_name: user-target-email + description: User email address. + flat_name: user.target.email + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: wildcard + user.target.full_name: + dashed_name: user-target-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.target.full_name + level: extended + multi_fields: + - flat_name: user.target.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: wildcard + user.target.group.domain: + dashed_name: user-target-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.target.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + user.target.group.id: + dashed_name: user-target-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.target.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + user.target.group.name: + dashed_name: user-target-group-name + description: Name of the group. + flat_name: user.target.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + user.target.hash: + dashed_name: user-target-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.target.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + user.target.id: + dashed_name: user-target-id + description: Unique identifier of the user. + flat_name: user.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + user.target.name: + dashed_name: user-target-name + description: Short name or login of the user. + example: albert + flat_name: user.target.name + level: core + multi_fields: + - flat_name: user.target.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: wildcard + user.target.roles: + dashed_name: user-target-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: user.target.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword + group: 2 + name: user + nestings: + - user.changes + - user.effective + - user.group + - user.target + prefix: user. + reusable: + expected: + - as: user + at: client + full: client.user + - as: user + at: destination + full: destination.user + - as: user + at: host + full: host.user + - as: user + at: server + full: server.user + - as: user + at: source + full: source.user + - as: target + at: user + full: user.target + - as: effective + at: user + full: user.effective + - as: changes + at: user + full: user.changes + top_level: true + reused_here: + - full: user.group + schema_name: group + short: User's group relevant to the event. + - full: user.target + schema_name: user + short: Fields to describe the user relevant to the event. + - full: user.effective + schema_name: user + short: Fields to describe the user relevant to the event. + - full: user.changes + schema_name: user + short: Fields to describe the user relevant to the event. + short: Fields to describe the user relevant to the event. + title: User + type: group +user_agent: + description: 'The user_agent fields normally come from a browser request. + + They often show up in web service logs coming from the parsed user agent string.' + fields: + user_agent.device.name: + dashed_name: user-agent-device-name + description: Name of the device. + example: iPhone + flat_name: user_agent.device.name + ignore_above: 1024 + level: extended + name: device.name + normalize: [] + short: Name of the device. + type: keyword + user_agent.name: + dashed_name: user-agent-name + description: Name of the user agent. + example: Safari + flat_name: user_agent.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Name of the user agent. + type: keyword + user_agent.original: + dashed_name: user-agent-original + description: Unparsed user_agent string. + example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 + (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 + flat_name: user_agent.original + level: extended + multi_fields: + - flat_name: user_agent.original.text + name: text + norms: false + type: text + name: original + normalize: [] + short: Unparsed user_agent string. + type: wildcard + user_agent.os.family: + dashed_name: user-agent-os-family + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + flat_name: user_agent.os.family + ignore_above: 1024 + level: extended + name: family + normalize: [] + original_fieldset: os + short: OS family (such as redhat, debian, freebsd, windows). + type: keyword + user_agent.os.full: + dashed_name: user-agent-os-full + description: Operating system name, including the version or code name. + example: Mac OS Mojave + flat_name: user_agent.os.full + level: extended + multi_fields: + - flat_name: user_agent.os.full.text + name: text + norms: false + type: text + name: full + normalize: [] + original_fieldset: os + short: Operating system name, including the version or code name. + type: wildcard + user_agent.os.kernel: + dashed_name: user-agent-os-kernel + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + flat_name: user_agent.os.kernel + ignore_above: 1024 + level: extended + name: kernel + normalize: [] + original_fieldset: os + short: Operating system kernel version as a raw string. + type: keyword + user_agent.os.name: + dashed_name: user-agent-os-name + description: Operating system name, without the version. + example: Mac OS X + flat_name: user_agent.os.name + level: extended + multi_fields: + - flat_name: user_agent.os.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: os + short: Operating system name, without the version. + type: wildcard + user_agent.os.platform: + dashed_name: user-agent-os-platform + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + flat_name: user_agent.os.platform + ignore_above: 1024 + level: extended + name: platform + normalize: [] + original_fieldset: os + short: Operating system platform (such centos, ubuntu, windows). + type: keyword + user_agent.os.version: + dashed_name: user-agent-os-version + description: Operating system version as a raw string. + example: 10.14.1 + flat_name: user_agent.os.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + original_fieldset: os + short: Operating system version as a raw string. + type: keyword + user_agent.version: + dashed_name: user-agent-version + description: Version of the user agent. + example: 12.0 + flat_name: user_agent.version + ignore_above: 1024 + level: extended + name: version + normalize: [] + short: Version of the user agent. + type: keyword + group: 2 + name: user_agent + nestings: + - user_agent.os + prefix: user_agent. + reused_here: + - full: user_agent.os + schema_name: os + short: OS fields contain information about the operating system. + short: Fields to describe a browser user_agent string. + title: User agent + type: group +vlan: + description: 'The VLAN fields are used to identify 802.1q tag(s) of a packet, as + well as ingress and egress VLAN associations of an observer in relation to a specific + packet or connection. + + Network.vlan fields are used to record a single VLAN tag, or the outer tag in + the case of q-in-q encapsulations, for a packet or connection as observed, typically + provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. + + Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple + 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. + Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should + only be used in addition to network.vlan fields to indicate q-in-q tagging. + + Observer.ingress and observer.egress VLAN values are used to record observer specific + information when observer events contain discrete ingress and egress VLAN information, + typically provided by firewalls, routers, or load balancers.' + fields: + vlan.id: + dashed_name: vlan-id + description: VLAN ID as reported by the observer. + example: 10 + flat_name: vlan.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + short: VLAN ID as reported by the observer. + type: keyword + vlan.name: + dashed_name: vlan-name + description: Optional VLAN name as reported by the observer. + example: outside + flat_name: vlan.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + short: Optional VLAN name as reported by the observer. + type: keyword + group: 2 + name: vlan + prefix: vlan. + reusable: + expected: + - as: vlan + at: observer.ingress + full: observer.ingress.vlan + - as: vlan + at: observer.egress + full: observer.egress.vlan + - as: vlan + at: network + full: network.vlan + - as: vlan + at: network.inner + full: network.inner.vlan + top_level: false + short: Fields to describe observed VLAN information. + title: VLAN + type: group +vulnerability: + description: The vulnerability fields describe information about a vulnerability + that is relevant to an event. + fields: + vulnerability.category: + dashed_name: vulnerability-category + description: 'The type of system or architecture that the vulnerability affects. + These may be platform-specific (for example, Debian or SUSE) or general (for + example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys + vulnerability categories]) + + This field must be an array.' + example: '["Firewall"]' + flat_name: vulnerability.category + ignore_above: 1024 + level: extended + name: category + normalize: + - array + short: Category of a vulnerability. + type: keyword + vulnerability.classification: + dashed_name: vulnerability-classification + description: The classification of the vulnerability scoring system. For example + (https://www.first.org/cvss/) + example: CVSS + flat_name: vulnerability.classification + ignore_above: 1024 + level: extended + name: classification + normalize: [] + short: Classification of the vulnerability. + type: keyword + vulnerability.description: + dashed_name: vulnerability-description + description: The description of the vulnerability that provides additional context + of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common + Vulnerabilities and Exposure CVE description]) + example: In macOS before 2.12.6, there is a vulnerability in the RPC... + flat_name: vulnerability.description + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: vulnerability.description.text + name: text + norms: false + type: text + name: description + normalize: [] + short: Description of the vulnerability. + type: keyword + vulnerability.enumeration: + dashed_name: vulnerability-enumeration + description: The type of identifier used for this vulnerability. For example + (https://cve.mitre.org/about/) + example: CVE + flat_name: vulnerability.enumeration + ignore_above: 1024 + level: extended + name: enumeration + normalize: [] + short: Identifier of the vulnerability. + type: keyword + vulnerability.id: + dashed_name: vulnerability-id + description: The identification (ID) is the number portion of a vulnerability + entry. It includes a unique identification number for the vulnerability. For + example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities + and Exposure CVE ID] + example: CVE-2019-00001 + flat_name: vulnerability.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + short: ID of the vulnerability. + type: keyword + vulnerability.reference: + dashed_name: vulnerability-reference + description: A resource that provides additional information, context, and mitigations + for the identified vulnerability. + example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 + flat_name: vulnerability.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + short: Reference of the vulnerability. + type: keyword + vulnerability.report_id: + dashed_name: vulnerability-report-id + description: The report or scan identification number. + example: 20191018.0001 + flat_name: vulnerability.report_id + ignore_above: 1024 + level: extended + name: report_id + normalize: [] + short: Scan identification number. + type: keyword + vulnerability.scanner.vendor: + dashed_name: vulnerability-scanner-vendor + description: The name of the vulnerability scanner vendor. + example: Tenable + flat_name: vulnerability.scanner.vendor + ignore_above: 1024 + level: extended + name: scanner.vendor + normalize: [] + short: Name of the scanner vendor. + type: keyword + vulnerability.score.base: + dashed_name: vulnerability-score-base + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Base scores cover an assessment for exploitability metrics (attack vector, + complexity, privileges, and user interaction), impact metrics (confidentiality, + integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)' + example: 5.5 + flat_name: vulnerability.score.base + level: extended + name: score.base + normalize: [] + short: Vulnerability Base score. + type: float + vulnerability.score.environmental: + dashed_name: vulnerability-score-environmental + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Environmental scores cover an assessment for any modified Base metrics, confidentiality, + integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)' + example: 5.5 + flat_name: vulnerability.score.environmental + level: extended + name: score.environmental + normalize: [] + short: Vulnerability Environmental score. + type: float + vulnerability.score.temporal: + dashed_name: vulnerability-score-temporal + description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + + Temporal scores cover an assessment for code maturity, remediation level, + and confidence. For example (https://www.first.org/cvss/specification-document)' + flat_name: vulnerability.score.temporal + level: extended + name: score.temporal + normalize: [] + short: Vulnerability Temporal score. + type: float + vulnerability.score.version: + dashed_name: vulnerability-score-version + description: 'The National Vulnerability Database (NVD) provides qualitative + severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score + ranges in addition to the severity ratings for CVSS v3.0 as they are defined + in the CVSS v3.0 specification. + + CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit + organization, whose mission is to help computer security incident response + teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)' + example: 2.0 + flat_name: vulnerability.score.version + ignore_above: 1024 + level: extended + name: score.version + normalize: [] + short: CVSS version. + type: keyword + vulnerability.severity: + dashed_name: vulnerability-severity + description: The severity of the vulnerability can help with metrics and internal + prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + example: Critical + flat_name: vulnerability.severity + ignore_above: 1024 + level: extended + name: severity + normalize: [] + short: Severity of the vulnerability. + type: keyword + group: 2 + name: vulnerability + prefix: vulnerability. + short: Fields to describe the vulnerability relevant to an event. + title: Vulnerability + type: group +x509: + description: This implements the common core fields for x509 certificates. This + information is likely logged with TLS sessions, digital signatures found in executable + binaries, S/MIME information in email bodies, or analysis of files on disk. When + only a single certificate is logged in an event, it should be nested under `file`. + When hashes of the DER-encoded certificate are available, the `hash` data set + should be populated as well (e.g. `file.hash.sha256`). For events that contain + certificate information for both sides of the connection, the x509 object could + be nested under the respective side of the connection information (e.g. `tls.server.x509`). + fields: + x509.alternative_names: + dashed_name: x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + short: List of subject alternative names (SAN). + type: keyword + x509.issuer.common_name: + dashed_name: x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + short: List of common name (CN) of issuing certificate authority. + type: keyword + x509.issuer.country: + dashed_name: x509-issuer-country + description: List of country (C) codes + example: US + flat_name: x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + short: List of country (C) codes + type: keyword + x509.issuer.distinguished_name: + dashed_name: x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: x509.issuer.distinguished_name + level: extended + name: issuer.distinguished_name + normalize: [] + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard + x509.issuer.locality: + dashed_name: x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + short: List of locality names (L) + type: keyword + x509.issuer.organization: + dashed_name: x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + short: List of organizations (O) of issuing certificate authority. + type: keyword + x509.issuer.organizational_unit: + dashed_name: x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + x509.issuer.state_or_province: + dashed_name: x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + short: List of state or province names (ST, S, or P) + type: keyword + x509.not_after: + dashed_name: x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: x509.not_after + level: extended + name: not_after + normalize: [] + short: Time at which the certificate is no longer considered valid. + type: date + x509.not_before: + dashed_name: x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: x509.not_before + level: extended + name: not_before + normalize: [] + short: Time at which the certificate is first considered valid. + type: date + x509.public_key_algorithm: + dashed_name: x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + short: Algorithm used to generate the public key. + type: keyword + x509.public_key_curve: + dashed_name: x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + x509.public_key_exponent: + dashed_name: x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + short: Exponent used to derive the public key. This is algorithm specific. + type: long + x509.public_key_size: + dashed_name: x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: x509.public_key_size + level: extended + name: public_key_size + normalize: [] + short: The size of the public key space in bits. + type: long + x509.serial_number: + dashed_name: x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + short: Unique serial number issued by the certificate authority. + type: keyword + x509.signature_algorithm: + dashed_name: x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + short: Identifier for certificate signature algorithm. + type: keyword + x509.subject.common_name: + dashed_name: x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + short: List of common names (CN) of subject. + type: keyword + x509.subject.country: + dashed_name: x509-subject-country + description: List of country (C) code + example: US + flat_name: x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + short: List of country (C) code + type: keyword + x509.subject.distinguished_name: + dashed_name: x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: x509.subject.distinguished_name + level: extended + name: subject.distinguished_name + normalize: [] + short: Distinguished name (DN) of the certificate subject entity. + type: wildcard + x509.subject.locality: + dashed_name: x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + short: List of locality names (L) + type: keyword + x509.subject.organization: + dashed_name: x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + short: List of organizations (O) of subject. + type: keyword + x509.subject.organizational_unit: + dashed_name: x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + short: List of organizational units (OU) of subject. + type: keyword + x509.subject.state_or_province: + dashed_name: x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + short: List of state or province names (ST, S, or P) + type: keyword + x509.version_number: + dashed_name: x509-version-number + description: Version of x509 format. + example: 3 + flat_name: x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + short: Version of x509 format. + type: keyword + group: 2 + name: x509 + prefix: x509. + reusable: + expected: + - as: x509 + at: file + full: file.x509 + - as: x509 + at: tls.client + full: tls.client.x509 + - as: x509 + at: tls.server + full: tls.server.x509 + top_level: false + short: These fields contain x509 certificate metadata. + title: x509 Certificate + type: group diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json new file mode 100644 index 0000000000..7099fcb8c7 --- /dev/null +++ b/experimental/generated/elasticsearch/7/template.json @@ -0,0 +1,3332 @@ +{ + "index_patterns": [ + "ecs-*" + ], + "mappings": { + "_meta": { + "version": "1.7.0-dev" + }, + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "type": "wildcard" + } + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "wildcard" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "wildcard" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "wildcard" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "wildcard" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "type": "wildcard" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "type": "wildcard" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "type": { + "type": "wildcard" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "wildcard" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "type": "wildcard" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "type": "wildcard" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "type": "wildcard" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "type": "wildcard" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "type": "wildcard" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "integer" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "wildcard" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "wildcard" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "wildcard" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "wildcard" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "type": "wildcard" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "type": "wildcard" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "type": "wildcard" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "type": "wildcard" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "type": "wildcard" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "type": "wildcard" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "order": 1, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": 10000 + } + }, + "refresh_interval": "5s" + } + } +} \ No newline at end of file diff --git a/experimental/schemas/agent.yml b/experimental/schemas/agent.yml new file mode 100644 index 0000000000..d09e77111d --- /dev/null +++ b/experimental/schemas/agent.yml @@ -0,0 +1,5 @@ +--- +- name: agent + fields: + - name: build.original + type: wildcard diff --git a/experimental/schemas/as.yml b/experimental/schemas/as.yml new file mode 100644 index 0000000000..96cf45621c --- /dev/null +++ b/experimental/schemas/as.yml @@ -0,0 +1,5 @@ +--- +- name: as + fields: + - name: organization.name + type: wildcard diff --git a/experimental/schemas/client.yml b/experimental/schemas/client.yml new file mode 100644 index 0000000000..14ed3a9a37 --- /dev/null +++ b/experimental/schemas/client.yml @@ -0,0 +1,7 @@ +--- + - name: client + fields: + - name: domain + type: wildcard + - name: registered_domain + type: wildcard diff --git a/experimental/schemas/destination.yml b/experimental/schemas/destination.yml new file mode 100644 index 0000000000..d64a84c6be --- /dev/null +++ b/experimental/schemas/destination.yml @@ -0,0 +1,7 @@ +--- + - name: destination + fields: + - name: domain + type: wildcard + - name: registered_domain + type: wildcard diff --git a/experimental/schemas/dns.yml b/experimental/schemas/dns.yml new file mode 100644 index 0000000000..54f9ccd69a --- /dev/null +++ b/experimental/schemas/dns.yml @@ -0,0 +1,7 @@ +--- +- name: dns + fields: + - name: question.name + type: wildcard + - name: answers.data + type: wildcard diff --git a/experimental/schemas/error.yml b/experimental/schemas/error.yml new file mode 100644 index 0000000000..f2004d3fe0 --- /dev/null +++ b/experimental/schemas/error.yml @@ -0,0 +1,9 @@ +--- +- name: error + fields: + - name: stack_trace + index: true + type: wildcard + + - name: type + type: wildcard diff --git a/experimental/schemas/event.yml b/experimental/schemas/event.yml new file mode 100644 index 0000000000..07daa3ac87 --- /dev/null +++ b/experimental/schemas/event.yml @@ -0,0 +1,5 @@ +--- +- name: event + fields: + - name: original + type: wildcard diff --git a/experimental/schemas/file.yml b/experimental/schemas/file.yml new file mode 100644 index 0000000000..f4938d38be --- /dev/null +++ b/experimental/schemas/file.yml @@ -0,0 +1,9 @@ +--- +- name: file + fields: + - name: directory + type: wildcard + - name: path + type: wildcard + - name: target_path + type: wildcard diff --git a/experimental/schemas/geo.yml b/experimental/schemas/geo.yml new file mode 100644 index 0000000000..d3445a5a2b --- /dev/null +++ b/experimental/schemas/geo.yml @@ -0,0 +1,5 @@ +--- + - name: geo + fields: + - name: name + type: wildcard diff --git a/experimental/schemas/host.yml b/experimental/schemas/host.yml new file mode 100644 index 0000000000..91f3d1bbc2 --- /dev/null +++ b/experimental/schemas/host.yml @@ -0,0 +1,4 @@ +- name: host + fields: + - name: hostname + type: wildcard diff --git a/experimental/schemas/http.yml b/experimental/schemas/http.yml new file mode 100644 index 0000000000..1722cdc5e7 --- /dev/null +++ b/experimental/schemas/http.yml @@ -0,0 +1,9 @@ +--- +- name: http + fields: + - name: request.body.content + type: wildcard + - name: request.referrer + type: wildcard + - name: response.body.content + type: wildcard diff --git a/experimental/schemas/log.yml b/experimental/schemas/log.yml new file mode 100644 index 0000000000..8a2f2dd397 --- /dev/null +++ b/experimental/schemas/log.yml @@ -0,0 +1,7 @@ +--- +- name: log + fields: + - name: file.path + type: wildcard + - name: logger + type: wildcard diff --git a/experimental/schemas/organization.yml b/experimental/schemas/organization.yml new file mode 100644 index 0000000000..594581413b --- /dev/null +++ b/experimental/schemas/organization.yml @@ -0,0 +1,5 @@ +--- +- name: organization + fields: + - name: name + type: wildcard diff --git a/experimental/schemas/os.yml b/experimental/schemas/os.yml new file mode 100644 index 0000000000..ec9d71a79c --- /dev/null +++ b/experimental/schemas/os.yml @@ -0,0 +1,7 @@ +--- +- name: os + fields: + - name: name + type: wildcard + - name: full + type: wildcard diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml new file mode 100644 index 0000000000..77a0574348 --- /dev/null +++ b/experimental/schemas/pe.yml @@ -0,0 +1,5 @@ +--- +- name: pe + fields: + - name: original_file_name + type: wildcard diff --git a/experimental/schemas/process.yml b/experimental/schemas/process.yml new file mode 100644 index 0000000000..da492e4564 --- /dev/null +++ b/experimental/schemas/process.yml @@ -0,0 +1,13 @@ +--- +- name: process + fields: + - name: command_line + type: wildcard + - name: executable + type: wildcard + - name: name + type: wildcard + - name: title + type: wildcard + - name: working_directory + type: wildcard diff --git a/experimental/schemas/registry.yml b/experimental/schemas/registry.yml new file mode 100644 index 0000000000..66f6f6b22c --- /dev/null +++ b/experimental/schemas/registry.yml @@ -0,0 +1,9 @@ +--- +- name: registry + fields: + - name: key + type: wildcard + - name: path + type: wildcard + - name: data.strings + type: wildcard diff --git a/experimental/schemas/server.yml b/experimental/schemas/server.yml new file mode 100644 index 0000000000..70c285f374 --- /dev/null +++ b/experimental/schemas/server.yml @@ -0,0 +1,7 @@ +--- + - name: server + fields: + - name: domain + type: wildcard + - name: registered_domain + type: wildcard diff --git a/experimental/schemas/source.yml b/experimental/schemas/source.yml new file mode 100644 index 0000000000..d810a6cb79 --- /dev/null +++ b/experimental/schemas/source.yml @@ -0,0 +1,7 @@ +--- +- name: source + fields: + - name: domain + type: wildcard + - name: registered_domain + type: wildcard diff --git a/experimental/schemas/tls.yml b/experimental/schemas/tls.yml new file mode 100644 index 0000000000..4f5378a313 --- /dev/null +++ b/experimental/schemas/tls.yml @@ -0,0 +1,11 @@ +--- +- name: tls + fields: + - name: client.issuer + type: wildcard + - name: client.subject + type: wildcard + - name: server.issuer + type: wildcard + - name: server.subject + type: wildcard diff --git a/experimental/schemas/url.yml b/experimental/schemas/url.yml new file mode 100644 index 0000000000..0d5f66c36a --- /dev/null +++ b/experimental/schemas/url.yml @@ -0,0 +1,13 @@ +--- +- name: url + fields: + - name: original + type: wildcard + - name: full + type: wildcard + - name: path + type: wildcard + - name: domain + type: wildcard + - name: registered_domain + type: wildcard diff --git a/experimental/schemas/user.yml b/experimental/schemas/user.yml new file mode 100644 index 0000000000..b2af27d5ab --- /dev/null +++ b/experimental/schemas/user.yml @@ -0,0 +1,17 @@ +--- +- name: user + fields: + - name: name + type: wildcard + - name: full_name + type: wildcard + - name: email + type: wildcard + reusable: + expected: + - at: user + as: target + - at: user + as: effective + - at: user + as: changes diff --git a/experimental/schemas/user_agent.yml b/experimental/schemas/user_agent.yml new file mode 100644 index 0000000000..c413a9d702 --- /dev/null +++ b/experimental/schemas/user_agent.yml @@ -0,0 +1,5 @@ +--- +- name: user_agent + fields: + - name: original + type: wildcard diff --git a/experimental/schemas/x509.yml b/experimental/schemas/x509.yml new file mode 100644 index 0000000000..d1c7d8af6b --- /dev/null +++ b/experimental/schemas/x509.yml @@ -0,0 +1,7 @@ +--- +- name: x509 + fields: + - name: issuer.distinguished_name + type: wildcard + - name: subject.distinguished_name + type: wildcard From 947f4108077fe1c212207df6cdd8ae248b6a7b0f Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 6 Oct 2020 15:10:26 -0400 Subject: [PATCH 23/90] Bump version to 1.8.0-dev in branch 1.x (#1011) --- code/go/ecs/version.go | 2 +- docs/fields.asciidoc | 2 +- docs/index.asciidoc | 2 +- experimental/generated/beats/fields.ecs.yml | 2 +- experimental/generated/csv/fields.csv | 1438 ++++++++--------- .../generated/elasticsearch/7/template.json | 2 +- generated/beats/fields.ecs.yml | 2 +- generated/csv/fields.csv | 1368 ++++++++-------- generated/elasticsearch/6/template.json | 2 +- generated/elasticsearch/7/template.json | 2 +- version | 2 +- 11 files changed, 1412 insertions(+), 1412 deletions(-) diff --git a/code/go/ecs/version.go b/code/go/ecs/version.go index ceb8cf7d1d..0921192cae 100644 --- a/code/go/ecs/version.go +++ b/code/go/ecs/version.go @@ -20,4 +20,4 @@ package ecs // Version is the Elastic Common Schema version from which this was generated. -const Version = "1.7.0-dev" +const Version = "1.8.0-dev" diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index 1de0fae653..bb07676dcb 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -2,7 +2,7 @@ [[ecs-field-reference]] == {ecs} Field Reference -This is the documentation of ECS version 1.7.0-dev. +This is the documentation of ECS version 1.8.0-dev. ECS defines multiple groups of related fields. They are called "field sets". The <> field set is the only one whose fields are defined diff --git a/docs/index.asciidoc b/docs/index.asciidoc index c71023e83a..198abfce07 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -8,7 +8,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[] [[ecs-reference]] == Overview -This is the documentation of ECS version 1.7.0-dev. +This is the documentation of ECS version 1.8.0-dev. [float] === What is ECS? diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 35064b122e..bfb0deef1a 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.7.0-dev. +# based on ECS version 1.8.0-dev. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 62979dd9b5..ce0f216357 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1,720 +1,720 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -1.7.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -1.7.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -1.7.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. -1.7.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -1.7.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -1.7.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -1.7.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -1.7.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -1.7.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -1.7.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -1.7.0-dev,true,client,client.address,keyword,extended,,,Client network address. -1.7.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.7.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.7.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.7.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -1.7.0-dev,true,client,client.domain,wildcard,core,,,Client domain. -1.7.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -1.7.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -1.7.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.7.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -1.7.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.7.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.7.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.7.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -1.7.0-dev,true,client,client.ip,ip,core,,,IP address of the client. -1.7.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. -1.7.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -1.7.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port -1.7.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -1.7.0-dev,true,client,client.port,long,core,,,Port of the client. -1.7.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -1.7.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. -1.7.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.7.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.7.0-dev,true,client,client.user.email,wildcard,extended,,,User email address. -1.7.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.7.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. -1.7.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. -1.7.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. -1.7.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.7.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. -1.7.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. -1.7.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. -1.7.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -1.7.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. -1.7.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -1.7.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. -1.7.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. -1.7.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. -1.7.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. -1.7.0-dev,true,container,container.id,keyword,core,,,Unique container id. -1.7.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. -1.7.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. -1.7.0-dev,true,container,container.labels,object,extended,,,Image labels. -1.7.0-dev,true,container,container.name,keyword,extended,,,Container name. -1.7.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. -1.7.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. -1.7.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.7.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.7.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.7.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -1.7.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain. -1.7.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -1.7.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -1.7.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.7.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -1.7.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.7.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.7.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.7.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -1.7.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. -1.7.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. -1.7.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -1.7.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -1.7.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -1.7.0-dev,true,destination,destination.port,long,core,,,Port of the destination. -1.7.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -1.7.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. -1.7.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.7.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.7.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address. -1.7.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.7.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. -1.7.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. -1.7.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. -1.7.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.7.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.7.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.7.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.7.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.7.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.7.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. -1.7.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. -1.7.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. -1.7.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. -1.7.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. -1.7.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. -1.7.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.7.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.7.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.7.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.7.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.7.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.7.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.7.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -1.7.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. -1.7.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. -1.7.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. -1.7.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -1.7.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. -1.7.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -1.7.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. -1.7.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -1.7.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. -1.7.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." -1.7.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. -1.7.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.7.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -1.7.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data -1.7.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. -1.7.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." -1.7.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -1.7.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. -1.7.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. -1.7.0-dev,true,error,error.message,text,core,,,Error message. -1.7.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. -1.7.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. -1.7.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -1.7.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -1.7.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -1.7.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. -1.7.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -1.7.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -1.7.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -1.7.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -1.7.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -1.7.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -1.7.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -1.7.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -1.7.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -1.7.0-dev,false,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -1.7.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -1.7.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. -1.7.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -1.7.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -1.7.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -1.7.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -1.7.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. -1.7.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. -1.7.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -1.7.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. -1.7.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -1.7.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -1.7.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. -1.7.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -1.7.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.7.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.7.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.7.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.7.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.7.0-dev,true,file,file.created,date,extended,,,File creation time. -1.7.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. -1.7.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -1.7.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. -1.7.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -1.7.0-dev,true,file,file.extension,keyword,extended,,png,File extension. -1.7.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -1.7.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. -1.7.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. -1.7.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. -1.7.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. -1.7.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. -1.7.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -1.7.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -1.7.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. -1.7.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. -1.7.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -1.7.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. -1.7.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.7.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.7.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.7.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.7.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.7.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.7.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.7.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.7.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.7.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. -1.7.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. -1.7.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. -1.7.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -1.7.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -1.7.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.7.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.7.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.7.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.7.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.7.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.7.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.7.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.7.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.7.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.7.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.7.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.7.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.7.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.7.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.7.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.7.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.7.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.7.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.7.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.7.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.7.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.7.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.7.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. -1.7.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,group,group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. -1.7.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -1.7.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. -1.7.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. -1.7.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.7.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. -1.7.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.7.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.7.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.7.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -1.7.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host. -1.7.0-dev,true,host,host.id,keyword,core,,,Unique host id. -1.7.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. -1.7.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. -1.7.0-dev,true,host,host.name,keyword,core,,,Name of the host. -1.7.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.7.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.7.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.7.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.7.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -1.7.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.7.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.7.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.7.0-dev,true,host,host.type,keyword,core,,,Type of host. -1.7.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. -1.7.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.7.0-dev,true,host,host.user.email,wildcard,extended,,,User email address. -1.7.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.7.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. -1.7.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. -1.7.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. -1.7.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.7.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -1.7.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. -1.7.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. -1.7.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -1.7.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. -1.7.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -1.7.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. -1.7.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -1.7.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. -1.7.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. -1.7.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -1.7.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. -1.7.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -1.7.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. -1.7.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. -1.7.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. -1.7.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -1.7.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. -1.7.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. -1.7.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. -1.7.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." -1.7.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata -1.7.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. -1.7.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. -1.7.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. -1.7.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. -1.7.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. -1.7.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. -1.7.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -1.7.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -1.7.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -1.7.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -1.7.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -1.7.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information -1.7.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.7.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.7.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -1.7.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -1.7.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. -1.7.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -1.7.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -1.7.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.7.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.7.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information -1.7.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias -1.7.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID -1.7.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name -1.7.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.7.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.7.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone -1.7.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. -1.7.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. -1.7.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.7.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. -1.7.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.7.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.7.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.7.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. -1.7.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. -1.7.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information -1.7.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias -1.7.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID -1.7.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name -1.7.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.7.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.7.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone -1.7.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -1.7.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer -1.7.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -1.7.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.7.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.7.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.7.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.7.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -1.7.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.7.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.7.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.7.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. -1.7.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. -1.7.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. -1.7.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. -1.7.0-dev,true,observer,observer.version,keyword,core,,,Observer version. -1.7.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -1.7.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name. -1.7.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. -1.7.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. -1.7.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -1.7.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -1.7.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. -1.7.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." -1.7.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. -1.7.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license -1.7.0-dev,true,package,package.name,keyword,extended,,go,Package name -1.7.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -1.7.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL -1.7.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. -1.7.0-dev,true,package,package.type,keyword,extended,,rpm,Package type -1.7.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version -1.7.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -1.7.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. -1.7.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.7.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.7.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.7.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.7.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.7.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.7.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.7.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.7.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.7.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.7.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. -1.7.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. -1.7.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. -1.7.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. -1.7.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -1.7.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name. -1.7.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. -1.7.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -1.7.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -1.7.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.7.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.7.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.7.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.7.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.7.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.7.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.7.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.7.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.7.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.7.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. -1.7.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. -1.7.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. -1.7.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. -1.7.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -1.7.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name. -1.7.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. -1.7.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.7.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.7.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.7.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.7.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.7.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.7.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.7.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.7.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. -1.7.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. -1.7.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.7.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -1.7.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. -1.7.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title. -1.7.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. -1.7.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -1.7.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -1.7.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.7.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.7.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.7.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.7.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.7.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.7.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.7.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.7.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.7.0-dev,true,process,process.pid,long,core,,4242,Process id. -1.7.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. -1.7.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.7.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. -1.7.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. -1.7.0-dev,true,process,process.title,wildcard,extended,,,Process title. -1.7.0-dev,true,process,process.title.text,text,extended,,,Process title. -1.7.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -1.7.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -1.7.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.7.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -1.7.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -1.7.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -1.7.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -1.7.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -1.7.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -1.7.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. -1.7.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. -1.7.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. -1.7.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -1.7.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. -1.7.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author -1.7.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category -1.7.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description -1.7.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID -1.7.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license -1.7.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name -1.7.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -1.7.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset -1.7.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID -1.7.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version -1.7.0-dev,true,server,server.address,keyword,extended,,,Server network address. -1.7.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.7.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.7.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.7.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -1.7.0-dev,true,server,server.domain,wildcard,core,,,Server domain. -1.7.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -1.7.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -1.7.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.7.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -1.7.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.7.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.7.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.7.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -1.7.0-dev,true,server,server.ip,ip,core,,,IP address of the server. -1.7.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. -1.7.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip -1.7.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port -1.7.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -1.7.0-dev,true,server,server.port,long,core,,,Port of the server. -1.7.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -1.7.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. -1.7.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.7.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.7.0-dev,true,server,server.user.email,wildcard,extended,,,User email address. -1.7.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.7.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. -1.7.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. -1.7.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. -1.7.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.7.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -1.7.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -1.7.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. -1.7.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. -1.7.0-dev,true,service,service.state,keyword,core,,,Current state of the service. -1.7.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. -1.7.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. -1.7.0-dev,true,source,source.address,keyword,extended,,,Source network address. -1.7.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.7.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.7.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.7.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -1.7.0-dev,true,source,source.domain,wildcard,core,,,Source domain. -1.7.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -1.7.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -1.7.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.7.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -1.7.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.7.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.7.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.7.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -1.7.0-dev,true,source,source.ip,ip,core,,,IP address of the source. -1.7.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. -1.7.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip -1.7.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port -1.7.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -1.7.0-dev,true,source,source.port,long,core,,,Port of the source. -1.7.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -1.7.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. -1.7.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.7.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.7.0-dev,true,source,source.user.email,wildcard,extended,,,User email address. -1.7.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.7.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. -1.7.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. -1.7.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. -1.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -1.7.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. -1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. -1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. -1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. -1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. -1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. -1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. -1.7.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. -1.7.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. -1.7.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. -1.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. -1.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -1.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. -1.7.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. -1.7.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. -1.7.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -1.7.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -1.7.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -1.7.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -1.7.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -1.7.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -1.7.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -1.7.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. -1.7.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.7.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.7.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.7.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.7.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.7.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.7.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.7.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.7.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.7.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.7.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.7.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.7.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.7.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.7.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.7.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.7.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.7.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.7.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.7.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.7.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.7.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.7.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.7.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. -1.7.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." -1.7.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -1.7.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. -1.7.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -1.7.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -1.7.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. -1.7.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. -1.7.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. -1.7.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -1.7.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -1.7.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -1.7.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -1.7.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -1.7.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. -1.7.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.7.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.7.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.7.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.7.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.7.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.7.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.7.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.7.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.7.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.7.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.7.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.7.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.7.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.7.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.7.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.7.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.7.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.7.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.7.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.7.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.7.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.7.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.7.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. -1.7.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. -1.7.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. -1.7.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -1.7.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -1.7.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. -1.7.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url. -1.7.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -1.7.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.7.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.7.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.7.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.7.0-dev,true,url,url.password,keyword,extended,,,Password of the request. -1.7.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -1.7.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -1.7.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. -1.7.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -1.7.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -1.7.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. -1.7.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.7.0-dev,true,url,url.username,keyword,extended,,,Username of the request. -1.7.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -1.7.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address. -1.7.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.7.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. -1.7.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. -1.7.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. -1.7.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.7.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.7.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -1.7.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address. -1.7.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.7.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. -1.7.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. -1.7.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. -1.7.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.7.0-dev,true,user,user.email,wildcard,extended,,,User email address. -1.7.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.7.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. -1.7.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user. -1.7.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. -1.7.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.7.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -1.7.0-dev,true,user,user.target.email,wildcard,extended,,,User email address. -1.7.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.7.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user. -1.7.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. -1.7.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. -1.7.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.7.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -1.7.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -1.7.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.7.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.7.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.7.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.7.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.7.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.7.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -1.7.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.7.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.7.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.7.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. -1.7.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. -1.7.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. -1.7.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.7.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.7.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. -1.7.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. -1.7.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -1.7.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. -1.7.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. -1.7.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. -1.7.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. -1.7.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. -1.7.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. -1.7.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +1.8.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +1.8.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +1.8.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. +1.8.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +1.8.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +1.8.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +1.8.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +1.8.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +1.8.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +1.8.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +1.8.0-dev,true,client,client.address,keyword,extended,,,Client network address. +1.8.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.8.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.8.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.8.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +1.8.0-dev,true,client,client.domain,wildcard,core,,,Client domain. +1.8.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev,true,client,client.ip,ip,core,,,IP address of the client. +1.8.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. +1.8.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +1.8.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port +1.8.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +1.8.0-dev,true,client,client.port,long,core,,,Port of the client. +1.8.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +1.8.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +1.8.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,client,client.user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +1.8.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +1.8.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. +1.8.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +1.8.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +1.8.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +1.8.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +1.8.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +1.8.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +1.8.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +1.8.0-dev,true,container,container.id,keyword,core,,,Unique container id. +1.8.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +1.8.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. +1.8.0-dev,true,container,container.labels,object,extended,,,Image labels. +1.8.0-dev,true,container,container.name,keyword,extended,,,Container name. +1.8.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +1.8.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. +1.8.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.8.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.8.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.8.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +1.8.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain. +1.8.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. +1.8.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. +1.8.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +1.8.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +1.8.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +1.8.0-dev,true,destination,destination.port,long,core,,,Port of the destination. +1.8.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +1.8.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +1.8.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.8.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.8.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.8.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.8.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.8.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +1.8.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +1.8.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +1.8.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +1.8.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +1.8.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +1.8.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.8.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.8.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.8.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.8.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.8.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.8.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +1.8.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. +1.8.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +1.8.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +1.8.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +1.8.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +1.8.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +1.8.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +1.8.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +1.8.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. +1.8.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +1.8.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +1.8.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +1.8.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +1.8.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +1.8.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +1.8.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +1.8.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. +1.8.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. +1.8.0-dev,true,error,error.message,text,core,,,Error message. +1.8.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +1.8.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +1.8.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +1.8.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +1.8.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +1.8.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. +1.8.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +1.8.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +1.8.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +1.8.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +1.8.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +1.8.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +1.8.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +1.8.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +1.8.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +1.8.0-dev,false,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +1.8.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +1.8.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. +1.8.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +1.8.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +1.8.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +1.8.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +1.8.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. +1.8.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. +1.8.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +1.8.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. +1.8.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +1.8.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +1.8.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. +1.8.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.8.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.8.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.8.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.8.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.8.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.8.0-dev,true,file,file.created,date,extended,,,File creation time. +1.8.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +1.8.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +1.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.8.0-dev,true,file,file.extension,keyword,extended,,png,File extension. +1.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.8.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +1.8.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +1.8.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +1.8.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +1.8.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +1.8.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.8.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +1.8.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.8.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. +1.8.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.8.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. +1.8.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.8.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.8.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.8.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.8.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.8.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.8.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.8.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.8.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. +1.8.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. +1.8.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. +1.8.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.8.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.8.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.8.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.8.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.8.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.8.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.8.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.8.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.8.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.8.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.8.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.8.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.8.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.8.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.8.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.8.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.8.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.8.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.8.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.8.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.8.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.8.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.8.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +1.8.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,group,group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +1.8.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +1.8.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host. +1.8.0-dev,true,host,host.id,keyword,core,,,Unique host id. +1.8.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. +1.8.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. +1.8.0-dev,true,host,host.name,keyword,core,,,Name of the host. +1.8.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.8.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.8.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.8.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.8.0-dev,true,host,host.type,keyword,core,,,Type of host. +1.8.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +1.8.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,host,host.user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +1.8.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. +1.8.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. +1.8.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +1.8.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. +1.8.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +1.8.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. +1.8.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +1.8.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. +1.8.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. +1.8.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +1.8.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +1.8.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +1.8.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. +1.8.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +1.8.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. +1.8.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +1.8.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. +1.8.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +1.8.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +1.8.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." +1.8.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata +1.8.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +1.8.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +1.8.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +1.8.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +1.8.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +1.8.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. +1.8.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +1.8.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +1.8.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +1.8.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +1.8.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +1.8.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information +1.8.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.8.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.8.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +1.8.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +1.8.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. +1.8.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +1.8.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +1.8.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.8.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.8.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information +1.8.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +1.8.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +1.8.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +1.8.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.8.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.8.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +1.8.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +1.8.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information +1.8.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +1.8.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +1.8.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +1.8.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.8.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.8.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +1.8.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +1.8.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer +1.8.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +1.8.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.8.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.8.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.8.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.8.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +1.8.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +1.8.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +1.8.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +1.8.0-dev,true,observer,observer.version,keyword,core,,,Observer version. +1.8.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +1.8.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name. +1.8.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. +1.8.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +1.8.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +1.8.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +1.8.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +1.8.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +1.8.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. +1.8.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +1.8.0-dev,true,package,package.name,keyword,extended,,go,Package name +1.8.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +1.8.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +1.8.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. +1.8.0-dev,true,package,package.type,keyword,extended,,rpm,Package type +1.8.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version +1.8.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.8.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. +1.8.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.8.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.8.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.8.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.8.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.8.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.8.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. +1.8.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +1.8.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +1.8.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +1.8.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +1.8.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name. +1.8.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. +1.8.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.8.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +1.8.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.8.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.8.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.8.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.8.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.8.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.8.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +1.8.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +1.8.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +1.8.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +1.8.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +1.8.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name. +1.8.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. +1.8.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.8.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.8.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.8.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.8.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.8.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.8.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.8.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. +1.8.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. +1.8.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.8.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +1.8.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. +1.8.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title. +1.8.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. +1.8.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +1.8.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +1.8.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.8.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.8.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.8.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.8.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.8.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.8.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.8.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.8.0-dev,true,process,process.pid,long,core,,4242,Process id. +1.8.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. +1.8.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.8.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. +1.8.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. +1.8.0-dev,true,process,process.title,wildcard,extended,,,Process title. +1.8.0-dev,true,process,process.title.text,text,extended,,,Process title. +1.8.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +1.8.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +1.8.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.8.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.8.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.8.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.8.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.8.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.8.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.8.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +1.8.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +1.8.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +1.8.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +1.8.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. +1.8.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +1.8.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +1.8.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +1.8.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID +1.8.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +1.8.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +1.8.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +1.8.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +1.8.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +1.8.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version +1.8.0-dev,true,server,server.address,keyword,extended,,,Server network address. +1.8.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.8.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.8.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.8.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +1.8.0-dev,true,server,server.domain,wildcard,core,,,Server domain. +1.8.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev,true,server,server.ip,ip,core,,,IP address of the server. +1.8.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. +1.8.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip +1.8.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port +1.8.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +1.8.0-dev,true,server,server.port,long,core,,,Port of the server. +1.8.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +1.8.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +1.8.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,server,server.user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +1.8.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +1.8.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +1.8.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +1.8.0-dev,true,service,service.state,keyword,core,,,Current state of the service. +1.8.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +1.8.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. +1.8.0-dev,true,source,source.address,keyword,extended,,,Source network address. +1.8.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.8.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.8.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.8.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +1.8.0-dev,true,source,source.domain,wildcard,core,,,Source domain. +1.8.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev,true,source,source.ip,ip,core,,,IP address of the source. +1.8.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. +1.8.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip +1.8.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port +1.8.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +1.8.0-dev,true,source,source.port,long,core,,,Port of the source. +1.8.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +1.8.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +1.8.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,source,source.user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +1.8.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +1.8.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +1.8.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +1.8.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +1.8.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +1.8.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +1.8.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. +1.8.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +1.8.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +1.8.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +1.8.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. +1.8.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +1.8.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +1.8.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +1.8.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +1.8.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +1.8.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +1.8.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +1.8.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +1.8.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +1.8.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +1.8.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +1.8.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +1.8.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +1.8.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +1.8.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.8.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.8.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.8.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.8.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.8.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.8.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.8.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.8.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.8.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.8.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.8.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.8.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.8.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.8.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.8.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.8.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.8.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.8.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.8.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +1.8.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +1.8.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +1.8.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +1.8.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +1.8.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +1.8.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +1.8.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +1.8.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +1.8.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +1.8.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +1.8.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +1.8.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +1.8.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +1.8.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +1.8.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.8.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.8.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.8.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.8.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.8.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.8.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.8.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.8.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.8.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.8.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.8.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.8.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.8.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.8.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.8.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.8.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.8.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.8.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.8.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +1.8.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +1.8.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +1.8.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +1.8.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +1.8.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. +1.8.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url. +1.8.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +1.8.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.8.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.8.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.8.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.8.0-dev,true,url,url.password,keyword,extended,,,Password of the request. +1.8.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +1.8.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +1.8.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. +1.8.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.8.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +1.8.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +1.8.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev,true,url,url.username,keyword,extended,,,Username of the request. +1.8.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address. +1.8.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address. +1.8.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,user,user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,user,user.target.email,wildcard,extended,,,User email address. +1.8.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +1.8.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +1.8.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.8.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.8.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.8.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.8.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.8.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.8.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +1.8.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +1.8.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +1.8.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.8.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.8.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +1.8.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +1.8.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +1.8.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +1.8.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +1.8.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +1.8.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +1.8.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +1.8.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +1.8.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 7099fcb8c7..f4fdf59c7c 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -4,7 +4,7 @@ ], "mappings": { "_meta": { - "version": "1.7.0-dev" + "version": "1.8.0-dev" }, "date_detection": false, "dynamic_templates": [ diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 807ffd2115..5f83a8e466 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.7.0-dev. +# based on ECS version 1.8.0-dev. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index baa380bfb8..a53eaad897 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -1,685 +1,685 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -1.7.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -1.7.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -1.7.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. -1.7.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -1.7.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -1.7.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -1.7.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -1.7.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -1.7.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -1.7.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -1.7.0-dev,true,client,client.address,keyword,extended,,,Client network address. -1.7.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.7.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.7.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.7.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -1.7.0-dev,true,client,client.domain,keyword,core,,,Client domain. -1.7.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -1.7.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -1.7.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.7.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -1.7.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.7.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.7.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.7.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -1.7.0-dev,true,client,client.ip,ip,core,,,IP address of the client. -1.7.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. -1.7.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -1.7.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port -1.7.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -1.7.0-dev,true,client,client.port,long,core,,,Port of the client. -1.7.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -1.7.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. -1.7.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.7.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.7.0-dev,true,client,client.user.email,keyword,extended,,,User email address. -1.7.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.7.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. -1.7.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user. -1.7.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. -1.7.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.7.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. -1.7.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. -1.7.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. -1.7.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -1.7.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. -1.7.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -1.7.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. -1.7.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. -1.7.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. -1.7.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. -1.7.0-dev,true,container,container.id,keyword,core,,,Unique container id. -1.7.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. -1.7.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. -1.7.0-dev,true,container,container.labels,object,extended,,,Image labels. -1.7.0-dev,true,container,container.name,keyword,extended,,,Container name. -1.7.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. -1.7.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. -1.7.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.7.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.7.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.7.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -1.7.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain. -1.7.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -1.7.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -1.7.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.7.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -1.7.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.7.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.7.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.7.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -1.7.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. -1.7.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. -1.7.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -1.7.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -1.7.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -1.7.0-dev,true,destination,destination.port,long,core,,,Port of the destination. -1.7.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -1.7.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. -1.7.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.7.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.7.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address. -1.7.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.7.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. -1.7.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user. -1.7.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. -1.7.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.7.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.7.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.7.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.7.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.7.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.7.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. -1.7.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. -1.7.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. -1.7.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. -1.7.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. -1.7.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. -1.7.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.7.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.7.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.7.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.7.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.7.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.7.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.7.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. -1.7.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -1.7.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. -1.7.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. -1.7.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. -1.7.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -1.7.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. -1.7.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -1.7.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. -1.7.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -1.7.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. -1.7.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." -1.7.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. -1.7.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.7.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -1.7.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data -1.7.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. -1.7.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." -1.7.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -1.7.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. -1.7.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. -1.7.0-dev,true,error,error.message,text,core,,,Error message. -1.7.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text. -1.7.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. -1.7.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -1.7.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -1.7.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -1.7.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. -1.7.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -1.7.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -1.7.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -1.7.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -1.7.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -1.7.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -1.7.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -1.7.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -1.7.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -1.7.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -1.7.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -1.7.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. -1.7.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -1.7.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -1.7.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -1.7.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -1.7.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. -1.7.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. -1.7.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -1.7.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. -1.7.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -1.7.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -1.7.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. -1.7.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -1.7.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.7.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.7.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.7.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.7.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.7.0-dev,true,file,file.created,date,extended,,,File creation time. -1.7.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. -1.7.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -1.7.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. -1.7.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -1.7.0-dev,true,file,file.extension,keyword,extended,,png,File extension. -1.7.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -1.7.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. -1.7.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. -1.7.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. -1.7.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. -1.7.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. -1.7.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -1.7.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -1.7.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. -1.7.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. -1.7.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -1.7.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. -1.7.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.7.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.7.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.7.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.7.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.7.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.7.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.7.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.7.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.7.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. -1.7.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks. -1.7.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. -1.7.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -1.7.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -1.7.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.7.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.7.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.7.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.7.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.7.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.7.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.7.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.7.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.7.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.7.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.7.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.7.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.7.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.7.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.7.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.7.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.7.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.7.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.7.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.7.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.7.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.7.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.7.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. -1.7.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,group,group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. -1.7.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -1.7.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. -1.7.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. -1.7.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.7.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. -1.7.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.7.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.7.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.7.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -1.7.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host. -1.7.0-dev,true,host,host.id,keyword,core,,,Unique host id. -1.7.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. -1.7.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. -1.7.0-dev,true,host,host.name,keyword,core,,,Name of the host. -1.7.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.7.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.7.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.7.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.7.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -1.7.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.7.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.7.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.7.0-dev,true,host,host.type,keyword,core,,,Type of host. -1.7.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. -1.7.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.7.0-dev,true,host,host.user.email,keyword,extended,,,User email address. -1.7.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.7.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. -1.7.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user. -1.7.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. -1.7.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.7.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -1.7.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body. -1.7.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. -1.7.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -1.7.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. -1.7.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -1.7.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. -1.7.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -1.7.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body. -1.7.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. -1.7.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -1.7.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. -1.7.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -1.7.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. -1.7.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. -1.7.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. -1.7.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -1.7.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. -1.7.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. -1.7.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. -1.7.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." -1.7.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata -1.7.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. -1.7.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. -1.7.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. -1.7.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. -1.7.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. -1.7.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. -1.7.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -1.7.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -1.7.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -1.7.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -1.7.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -1.7.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information -1.7.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.7.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.7.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -1.7.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -1.7.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. -1.7.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -1.7.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -1.7.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.7.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.7.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information -1.7.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias -1.7.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID -1.7.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name -1.7.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.7.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.7.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone -1.7.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. -1.7.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. -1.7.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.7.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. -1.7.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.7.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.7.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.7.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. -1.7.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. -1.7.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information -1.7.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias -1.7.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID -1.7.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name -1.7.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.7.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.7.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone -1.7.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -1.7.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer -1.7.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -1.7.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.7.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.7.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.7.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.7.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -1.7.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.7.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.7.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.7.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. -1.7.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. -1.7.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. -1.7.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. -1.7.0-dev,true,observer,observer.version,keyword,core,,,Observer version. -1.7.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -1.7.0-dev,true,organization,organization.name,keyword,extended,,,Organization name. -1.7.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. -1.7.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. -1.7.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -1.7.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -1.7.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. -1.7.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." -1.7.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. -1.7.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license -1.7.0-dev,true,package,package.name,keyword,extended,,go,Package name -1.7.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -1.7.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL -1.7.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. -1.7.0-dev,true,package,package.type,keyword,extended,,rpm,Package type -1.7.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version -1.7.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -1.7.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. -1.7.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.7.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.7.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.7.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.7.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.7.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.7.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.7.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.7.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.7.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.7.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. -1.7.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. -1.7.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. -1.7.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. -1.7.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -1.7.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. -1.7.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. -1.7.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -1.7.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -1.7.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.7.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.7.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.7.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.7.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.7.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.7.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.7.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.7.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.7.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.7.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. -1.7.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. -1.7.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. -1.7.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. -1.7.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -1.7.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name. -1.7.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. -1.7.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.7.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.7.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.7.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.7.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.7.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.7.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.7.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.7.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. -1.7.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. -1.7.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.7.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -1.7.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. -1.7.0-dev,true,process,process.parent.title,keyword,extended,,,Process title. -1.7.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. -1.7.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -1.7.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. -1.7.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.7.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.7.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.7.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.7.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.7.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.7.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.7.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.7.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.7.0-dev,true,process,process.pid,long,core,,4242,Process id. -1.7.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. -1.7.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.7.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. -1.7.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. -1.7.0-dev,true,process,process.title,keyword,extended,,,Process title. -1.7.0-dev,true,process,process.title.text,text,extended,,,Process title. -1.7.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -1.7.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. -1.7.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.7.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -1.7.0-dev,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -1.7.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -1.7.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -1.7.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -1.7.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -1.7.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. -1.7.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. -1.7.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. -1.7.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -1.7.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. -1.7.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author -1.7.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category -1.7.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description -1.7.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID -1.7.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license -1.7.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name -1.7.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -1.7.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset -1.7.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID -1.7.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version -1.7.0-dev,true,server,server.address,keyword,extended,,,Server network address. -1.7.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.7.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.7.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.7.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -1.7.0-dev,true,server,server.domain,keyword,core,,,Server domain. -1.7.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -1.7.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -1.7.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.7.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -1.7.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.7.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.7.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.7.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -1.7.0-dev,true,server,server.ip,ip,core,,,IP address of the server. -1.7.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. -1.7.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip -1.7.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port -1.7.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -1.7.0-dev,true,server,server.port,long,core,,,Port of the server. -1.7.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -1.7.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. -1.7.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.7.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.7.0-dev,true,server,server.user.email,keyword,extended,,,User email address. -1.7.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.7.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. -1.7.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user. -1.7.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. -1.7.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.7.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -1.7.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -1.7.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. -1.7.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. -1.7.0-dev,true,service,service.state,keyword,core,,,Current state of the service. -1.7.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. -1.7.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. -1.7.0-dev,true,source,source.address,keyword,extended,,,Source network address. -1.7.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.7.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.7.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.7.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -1.7.0-dev,true,source,source.domain,keyword,core,,,Source domain. -1.7.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -1.7.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -1.7.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.7.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -1.7.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.7.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.7.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.7.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -1.7.0-dev,true,source,source.ip,ip,core,,,IP address of the source. -1.7.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. -1.7.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip -1.7.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port -1.7.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -1.7.0-dev,true,source,source.port,long,core,,,Port of the source. -1.7.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -1.7.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. -1.7.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.7.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.7.0-dev,true,source,source.user.email,keyword,extended,,,User email address. -1.7.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.7.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. -1.7.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user. -1.7.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. -1.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -1.7.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. -1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. -1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. -1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. -1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. -1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. -1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. -1.7.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. -1.7.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. -1.7.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. -1.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. -1.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -1.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. -1.7.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. -1.7.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. -1.7.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -1.7.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -1.7.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -1.7.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -1.7.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -1.7.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -1.7.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -1.7.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. -1.7.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.7.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.7.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.7.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.7.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.7.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.7.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.7.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.7.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.7.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.7.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.7.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.7.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.7.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.7.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.7.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.7.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.7.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.7.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.7.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.7.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.7.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.7.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.7.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. -1.7.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." -1.7.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -1.7.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. -1.7.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -1.7.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -1.7.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. -1.7.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. -1.7.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. -1.7.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -1.7.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -1.7.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -1.7.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -1.7.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -1.7.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. -1.7.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.7.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.7.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.7.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.7.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.7.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.7.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.7.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.7.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.7.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.7.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.7.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.7.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.7.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.7.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.7.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.7.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.7.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.7.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.7.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.7.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.7.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.7.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.7.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. -1.7.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. -1.7.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. -1.7.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -1.7.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -1.7.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. -1.7.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url. -1.7.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -1.7.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.7.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.7.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.7.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.7.0-dev,true,url,url.password,keyword,extended,,,Password of the request. -1.7.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""." -1.7.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -1.7.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. -1.7.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -1.7.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -1.7.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. -1.7.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.7.0-dev,true,url,url.username,keyword,extended,,,Username of the request. -1.7.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.7.0-dev,true,user,user.email,keyword,extended,,,User email address. -1.7.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.7.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.7.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.7.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. -1.7.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.7.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. -1.7.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user. -1.7.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. -1.7.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.7.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -1.7.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -1.7.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.7.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.7.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.7.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.7.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.7.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.7.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -1.7.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.7.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.7.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.7.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. -1.7.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. -1.7.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. -1.7.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.7.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.7.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. -1.7.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. -1.7.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -1.7.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. -1.7.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. -1.7.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. -1.7.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. -1.7.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. -1.7.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. -1.7.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +1.8.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +1.8.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +1.8.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. +1.8.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +1.8.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +1.8.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +1.8.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +1.8.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +1.8.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +1.8.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +1.8.0-dev,true,client,client.address,keyword,extended,,,Client network address. +1.8.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.8.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.8.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.8.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +1.8.0-dev,true,client,client.domain,keyword,core,,,Client domain. +1.8.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev,true,client,client.ip,ip,core,,,IP address of the client. +1.8.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. +1.8.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +1.8.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port +1.8.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +1.8.0-dev,true,client,client.port,long,core,,,Port of the client. +1.8.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +1.8.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +1.8.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,client,client.user.email,keyword,extended,,,User email address. +1.8.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +1.8.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +1.8.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. +1.8.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +1.8.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +1.8.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +1.8.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +1.8.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +1.8.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +1.8.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +1.8.0-dev,true,container,container.id,keyword,core,,,Unique container id. +1.8.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +1.8.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. +1.8.0-dev,true,container,container.labels,object,extended,,,Image labels. +1.8.0-dev,true,container,container.name,keyword,extended,,,Container name. +1.8.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +1.8.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. +1.8.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.8.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.8.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.8.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +1.8.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain. +1.8.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. +1.8.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. +1.8.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +1.8.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +1.8.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +1.8.0-dev,true,destination,destination.port,long,core,,,Port of the destination. +1.8.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +1.8.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +1.8.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address. +1.8.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.8.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.8.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.8.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.8.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.8.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +1.8.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +1.8.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +1.8.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +1.8.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +1.8.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +1.8.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.8.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.8.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.8.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.8.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.8.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.8.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. +1.8.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +1.8.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. +1.8.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +1.8.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +1.8.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +1.8.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +1.8.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +1.8.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +1.8.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +1.8.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. +1.8.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +1.8.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +1.8.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +1.8.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +1.8.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +1.8.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +1.8.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +1.8.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. +1.8.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. +1.8.0-dev,true,error,error.message,text,core,,,Error message. +1.8.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text. +1.8.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +1.8.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +1.8.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +1.8.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +1.8.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. +1.8.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +1.8.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +1.8.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +1.8.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +1.8.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +1.8.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +1.8.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +1.8.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +1.8.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +1.8.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +1.8.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +1.8.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. +1.8.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +1.8.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +1.8.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +1.8.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +1.8.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. +1.8.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. +1.8.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +1.8.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. +1.8.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +1.8.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +1.8.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. +1.8.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.8.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.8.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.8.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.8.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.8.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.8.0-dev,true,file,file.created,date,extended,,,File creation time. +1.8.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +1.8.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. +1.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.8.0-dev,true,file,file.extension,keyword,extended,,png,File extension. +1.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.8.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +1.8.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +1.8.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +1.8.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +1.8.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +1.8.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.8.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +1.8.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.8.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. +1.8.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.8.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. +1.8.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.8.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.8.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.8.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.8.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.8.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.8.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.8.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.8.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. +1.8.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks. +1.8.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. +1.8.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.8.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.8.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.8.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.8.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.8.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.8.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.8.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.8.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.8.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.8.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.8.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.8.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.8.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.8.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.8.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.8.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.8.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.8.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.8.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.8.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.8.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.8.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.8.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +1.8.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,group,group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +1.8.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +1.8.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host. +1.8.0-dev,true,host,host.id,keyword,core,,,Unique host id. +1.8.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. +1.8.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. +1.8.0-dev,true,host,host.name,keyword,core,,,Name of the host. +1.8.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.8.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.8.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.8.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.8.0-dev,true,host,host.type,keyword,core,,,Type of host. +1.8.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +1.8.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,host,host.user.email,keyword,extended,,,User email address. +1.8.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +1.8.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body. +1.8.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. +1.8.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +1.8.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. +1.8.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +1.8.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. +1.8.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +1.8.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body. +1.8.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. +1.8.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +1.8.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +1.8.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +1.8.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. +1.8.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +1.8.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. +1.8.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +1.8.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. +1.8.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +1.8.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +1.8.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." +1.8.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata +1.8.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +1.8.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +1.8.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +1.8.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +1.8.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +1.8.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. +1.8.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +1.8.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +1.8.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +1.8.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +1.8.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +1.8.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information +1.8.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.8.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.8.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +1.8.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +1.8.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. +1.8.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +1.8.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +1.8.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.8.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.8.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information +1.8.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +1.8.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +1.8.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +1.8.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.8.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.8.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +1.8.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +1.8.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information +1.8.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +1.8.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +1.8.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +1.8.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.8.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.8.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +1.8.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +1.8.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer +1.8.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +1.8.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.8.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.8.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.8.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.8.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +1.8.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +1.8.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +1.8.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +1.8.0-dev,true,observer,observer.version,keyword,core,,,Observer version. +1.8.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +1.8.0-dev,true,organization,organization.name,keyword,extended,,,Organization name. +1.8.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. +1.8.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +1.8.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +1.8.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +1.8.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +1.8.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +1.8.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. +1.8.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +1.8.0-dev,true,package,package.name,keyword,extended,,go,Package name +1.8.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +1.8.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +1.8.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. +1.8.0-dev,true,package,package.type,keyword,extended,,rpm,Package type +1.8.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version +1.8.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.8.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. +1.8.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.8.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.8.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.8.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.8.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.8.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.8.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. +1.8.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +1.8.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +1.8.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +1.8.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +1.8.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. +1.8.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. +1.8.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.8.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +1.8.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.8.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.8.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.8.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.8.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.8.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.8.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +1.8.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +1.8.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +1.8.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +1.8.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +1.8.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name. +1.8.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. +1.8.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.8.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.8.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.8.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.8.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.8.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.8.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.8.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. +1.8.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. +1.8.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.8.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +1.8.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. +1.8.0-dev,true,process,process.parent.title,keyword,extended,,,Process title. +1.8.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. +1.8.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +1.8.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. +1.8.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.8.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.8.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.8.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.8.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.8.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.8.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.8.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.8.0-dev,true,process,process.pid,long,core,,4242,Process id. +1.8.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. +1.8.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.8.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. +1.8.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. +1.8.0-dev,true,process,process.title,keyword,extended,,,Process title. +1.8.0-dev,true,process,process.title.text,text,extended,,,Process title. +1.8.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +1.8.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. +1.8.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.8.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.8.0-dev,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.8.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.8.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.8.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.8.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.8.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +1.8.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +1.8.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +1.8.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +1.8.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. +1.8.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +1.8.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +1.8.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +1.8.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID +1.8.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +1.8.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +1.8.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +1.8.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +1.8.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +1.8.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version +1.8.0-dev,true,server,server.address,keyword,extended,,,Server network address. +1.8.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.8.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.8.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.8.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +1.8.0-dev,true,server,server.domain,keyword,core,,,Server domain. +1.8.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev,true,server,server.ip,ip,core,,,IP address of the server. +1.8.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. +1.8.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip +1.8.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port +1.8.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +1.8.0-dev,true,server,server.port,long,core,,,Port of the server. +1.8.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +1.8.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +1.8.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,server,server.user.email,keyword,extended,,,User email address. +1.8.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +1.8.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +1.8.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +1.8.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +1.8.0-dev,true,service,service.state,keyword,core,,,Current state of the service. +1.8.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +1.8.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. +1.8.0-dev,true,source,source.address,keyword,extended,,,Source network address. +1.8.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.8.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.8.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.8.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +1.8.0-dev,true,source,source.domain,keyword,core,,,Source domain. +1.8.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev,true,source,source.ip,ip,core,,,IP address of the source. +1.8.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. +1.8.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip +1.8.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port +1.8.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +1.8.0-dev,true,source,source.port,long,core,,,Port of the source. +1.8.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +1.8.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +1.8.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,source,source.user.email,keyword,extended,,,User email address. +1.8.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +1.8.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +1.8.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +1.8.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +1.8.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +1.8.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +1.8.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +1.8.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. +1.8.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +1.8.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +1.8.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +1.8.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. +1.8.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +1.8.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +1.8.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +1.8.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +1.8.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +1.8.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +1.8.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +1.8.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +1.8.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +1.8.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +1.8.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +1.8.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +1.8.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +1.8.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +1.8.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.8.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.8.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.8.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.8.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.8.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.8.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.8.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.8.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.8.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.8.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.8.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.8.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.8.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.8.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.8.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.8.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.8.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.8.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.8.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +1.8.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +1.8.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +1.8.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +1.8.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +1.8.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +1.8.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +1.8.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +1.8.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +1.8.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +1.8.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +1.8.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +1.8.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +1.8.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +1.8.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +1.8.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.8.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.8.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.8.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.8.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.8.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.8.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.8.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.8.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.8.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.8.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.8.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.8.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.8.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.8.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.8.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.8.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.8.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.8.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.8.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +1.8.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +1.8.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +1.8.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +1.8.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +1.8.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. +1.8.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url. +1.8.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +1.8.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.8.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.8.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.8.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.8.0-dev,true,url,url.password,keyword,extended,,,Password of the request. +1.8.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""." +1.8.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +1.8.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. +1.8.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.8.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +1.8.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +1.8.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev,true,url,url.username,keyword,extended,,,Username of the request. +1.8.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,user,user.email,keyword,extended,,,User email address. +1.8.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +1.8.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +1.8.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.8.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.8.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.8.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.8.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.8.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.8.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +1.8.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +1.8.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +1.8.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.8.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.8.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +1.8.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +1.8.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +1.8.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +1.8.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +1.8.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +1.8.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +1.8.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +1.8.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +1.8.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 493159d4b3..ead8e6ee27 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -5,7 +5,7 @@ "mappings": { "_doc": { "_meta": { - "version": "1.7.0-dev" + "version": "1.8.0-dev" }, "date_detection": false, "dynamic_templates": [ diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index b63f3af1c7..bd5fcd8a20 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -4,7 +4,7 @@ ], "mappings": { "_meta": { - "version": "1.7.0-dev" + "version": "1.8.0-dev" }, "date_detection": false, "dynamic_templates": [ diff --git a/version b/version index de023c91b1..0ef074f2ec 100644 --- a/version +++ b/version @@ -1 +1 @@ -1.7.0-dev +1.8.0-dev From 1dc6240e3a0c6edc59a4fc0a6ac098ba0d8ae431 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 6 Oct 2020 15:44:19 -0400 Subject: [PATCH 24/90] Cut 1.7 changelog (#1010) (#1012) --- CHANGELOG.md | 43 +++++++++++++++++++++++++++++++++++++++++++ CHANGELOG.next.md | 21 --------------------- 2 files changed, 43 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0b6a774967..27c5171ca3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,49 @@ # CHANGELOG All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/). +## [1.7.0](https://github.com/elastic/ecs/compare/v1.6.0...v1.7.0) + +### Schema Changes + +#### Bugfixes + +* The `protocol` allowed value under `event.type` should not have the `expected_event_types` defined. #964 + +#### Added + +* Added Mime Type fields to HTTP request and response. #944 +* Added network directions ingress and egress. #945 +* Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951 +* Added `configuration` as an allowed `event.category`. #963 + +#### Improvements + +* Expanded field set definitions for `source.*` and `destination.*`. #967 +* Provided better guidance for mapping network events. #969 +* Added the field `.subdomain` under `client`, `destination`, `server`, `source` + and `url`, to match its presence at `dns.question.subdomain`. #981 + +### Tooling and Artifact Changes + +#### Bugfixes + +* Addressed issue where foreign reuses weren't using the user-supplied `as` value for their destination. #960 + +#### Added + +* Introduced `--strict` flag to perform stricter schema validation when running the generator script. #937 +* Added check under `--strict` that ensures composite types in example fields are quoted. #966 +* Added `ignore_above` and `normalizer` support for keyword multi-fields. #971 +* Added `--oss` flag for users who want to generate ECS templates for use on OSS clusters. #991 +* Added a new directory with experimental artifacts, which includes all changes + from RFCs that have reached stage 2. #993 + +#### Improvements + +* Field details Jinja2 template components have been consolidated into one template #897 +* Add `[discrete]` marker before each section header in field details. #989 + + ## [1.6.0](https://github.com/elastic/ecs/compare/v1.5.0...v1.6.0) ### Schema Changes diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 417377de00..ef52884095 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -14,21 +14,10 @@ Thanks, you're awesome :-) --> #### Bugfixes -* The `protocol` allowed value under `event.type` should not have the `expected_event_types` defined. #964 - #### Added -* Added Mime Type fields to HTTP request and response. #944 -* Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951 -* Added `configuration` as an allowed `event.category`. #963 -* Added network directions ingress and egress. #945 - #### Improvements -* Expanded field set definitions for `source.*` and `destination.*`. #967 -* Provided better guidance for mapping network events. #969 -* Added the field `.subdomain` under `client`, `destination`, `server`, `source` and `url`, to match its presence at `dns.question.subdomain`. #981 - #### Deprecated ### Tooling and Artifact Changes @@ -37,20 +26,10 @@ Thanks, you're awesome :-) --> #### Bugfixes -* Addressed issue where foreign reuses weren't using the user-supplied `as` value for their destination. #960 - #### Added -* Introduced `--strict` flag to perform stricter schema validation when running the generator script. #937 -* Added check under `--strict` that ensures composite types in example fields are quoted. #966 -* Added `ignore_above` and `normalizer` support for keyword multi-fields. #971 -* Added `--oss` flag for users who want to generate ECS templates for use on OSS clusters. #991 - #### Improvements -* Field details Jinja2 template components have been consolidated into one template #897 -* Add `[discrete]` marker before each section header in field details. #989 - #### Deprecated From 501d404fab561f2780e0afc0a5028f9a9780bf00 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 8 Oct 2020 11:35:50 -0400 Subject: [PATCH 25/90] [1.x] Clarify that file extension should exclude the dot. (#1016) (#1020) --- CHANGELOG.md | 1 + code/go/ecs/file.go | 4 +++- docs/field-details.asciidoc | 4 +++- experimental/generated/beats/fields.ecs.yml | 5 ++++- experimental/generated/csv/fields.csv | 2 +- experimental/generated/ecs/ecs_flat.yml | 7 +++++-- experimental/generated/ecs/ecs_nested.yml | 7 +++++-- generated/beats/fields.ecs.yml | 5 ++++- generated/csv/fields.csv | 2 +- generated/ecs/ecs_flat.yml | 7 +++++-- generated/ecs/ecs_nested.yml | 7 +++++-- schemas/file.yml | 7 ++++++- 12 files changed, 43 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 27c5171ca3..2150e1c38f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file based on the #### Bugfixes * The `protocol` allowed value under `event.type` should not have the `expected_event_types` defined. #964 +* Clarify the definition of `file.extension` (no dots). #1016 #### Added diff --git a/code/go/ecs/file.go b/code/go/ecs/file.go index 1dc53d28b0..09713b7bf4 100644 --- a/code/go/ecs/file.go +++ b/code/go/ecs/file.go @@ -55,7 +55,9 @@ type File struct { // Target path for symlinks. TargetPath string `ecs:"target_path"` - // File extension. + // File extension, excluding the leading dot. + // Note that when the file name has multiple extensions (example.tar.gz), + // only the last one should be captured ("gz", not "tar.gz"). Extension string `ecs:"extension"` // File type (file, dir, or symlink). diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 9bd030d0af..f961b6fa89 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -2109,7 +2109,9 @@ example: `C` // =============================================================== | file.extension -| File extension. +| File extension, excluding the leading dot. + +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index bfb0deef1a..da99874ab5 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1568,7 +1568,10 @@ level: extended type: keyword ignore_above: 1024 - description: File extension. + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png - name: gid level: extended diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index ce0f216357..15b7de8404 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -174,7 +174,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. 1.8.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. 1.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -1.8.0-dev,true,file,file.extension,keyword,extended,,png,File extension. +1.8.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." 1.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 1.8.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. 1.8.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 5f27925261..13a7c32325 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -2502,14 +2502,17 @@ file.drive_letter: type: keyword file.extension: dashed_name: file-extension - description: File extension. + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' example: png flat_name: file.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension. + short: File extension, excluding the leading dot. type: keyword file.gid: dashed_name: file-gid diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 1c40d63dfd..bfb2df366d 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2925,14 +2925,17 @@ file: type: keyword file.extension: dashed_name: file-extension - description: File extension. + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png flat_name: file.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension. + short: File extension, excluding the leading dot. type: keyword file.gid: dashed_name: file-gid diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 5f83a8e466..e4b1f1bb45 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1604,7 +1604,10 @@ level: extended type: keyword ignore_above: 1024 - description: File extension. + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png - name: gid level: extended diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index a53eaad897..04f8d184ed 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -175,7 +175,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. 1.8.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. 1.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -1.8.0-dev,true,file,file.extension,keyword,extended,,png,File extension. +1.8.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." 1.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 1.8.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. 1.8.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 08277b4372..81a1ee4950 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2544,14 +2544,17 @@ file.drive_letter: type: keyword file.extension: dashed_name: file-extension - description: File extension. + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' example: png flat_name: file.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension. + short: File extension, excluding the leading dot. type: keyword file.gid: dashed_name: file-gid diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index b4fecef933..1ca8779d5e 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2968,14 +2968,17 @@ file: type: keyword file.extension: dashed_name: file-extension - description: File extension. + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png flat_name: file.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension. + short: File extension, excluding the leading dot. type: keyword file.gid: dashed_name: file-gid diff --git a/schemas/file.yml b/schemas/file.yml index 4856f22648..545b4661fa 100644 --- a/schemas/file.yml +++ b/schemas/file.yml @@ -74,7 +74,12 @@ - name: extension level: extended type: keyword - description: File extension. + short: File extension, excluding the leading dot. + description: > + File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), + only the last one should be captured ("gz", not "tar.gz"). example: png - name: type From 14141ec850b21888a35b15730bd67263bf543cfe Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 8 Oct 2020 16:01:19 -0500 Subject: [PATCH 26/90] [1.x] Add usage docs section (#988) (#1024) Co-authored-by: Mathieu Martin --- CHANGELOG.md | 1 + Makefile | 2 +- docs/usage/README.md | 40 +++++++++++++++++++++++++++ scripts/generators/asciidoc_fields.py | 13 ++++++++- scripts/generators/ecs_helpers.py | 9 ++++++ scripts/templates/field_details.j2 | 13 ++++++++- scripts/tests/test_asciidoc_fields.py | 10 +++++++ 7 files changed, 85 insertions(+), 3 deletions(-) create mode 100644 docs/usage/README.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 2150e1c38f..2ee6329197 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,7 @@ All notable changes to this project will be documented in this file based on the * Introduced `--strict` flag to perform stricter schema validation when running the generator script. #937 * Added check under `--strict` that ensures composite types in example fields are quoted. #966 * Added `ignore_above` and `normalizer` support for keyword multi-fields. #971 +* Added ability to supply free-form usage documentation per fieldset. #988 * Added `--oss` flag for users who want to generate ECS templates for use on OSS clusters. #991 * Added a new directory with experimental artifacts, which includes all changes from RFCs that have reached stage 2. #993 diff --git a/Makefile b/Makefile index 4261504635..07f0442421 100644 --- a/Makefile +++ b/Makefile @@ -44,7 +44,7 @@ docs: if [ ! -d $(PWD)/build/docs ]; then \ git clone --depth=1 https://github.com/elastic/docs.git ./build/docs ; \ fi - ./build/docs/build_docs --asciidoctor --doc ./docs/index.asciidoc --chunk=1 $(OPEN_DOCS) --out ./build/html_docs + ./build/docs/build_docs --asciidoctor --doc ./docs/index.asciidoc --chunk=2 $(OPEN_DOCS) --out ./build/html_docs # Alias to generate experimental artifacts .PHONY: experimental diff --git a/docs/usage/README.md b/docs/usage/README.md new file mode 100644 index 0000000000..fce7219a2b --- /dev/null +++ b/docs/usage/README.md @@ -0,0 +1,40 @@ +# Usage Docs + +ECS fields can benefit from additional context and examples which describe their real-world usage. This directory provides a place in the documentation to capture these usage details. AsciiDoc markdown files can be added for any fieldset defined in ECS. + +## Adding a Usage Doc + +1. Create an AsciiDoc formatted file with the `.asciidoc` file extension. +2. Save the file in this directory (`docs/usage`), naming it after its associated field set (e.g. a usage document for the fields defined in `schemas/base.yml` fields would be named `docs/usage/base.asciidoc`). +3. The anchor at the top of the file (e.g. `[[ecs-base-usage]]`) must use the following convention for valid link references in the generated docs: `[[ecs-<>-usage]]`. +4. Run `make`. The asciidoc generator will generate the ECS field reference, including the present usage docs. + +If the filename doesn't match a currently defined fieldset, the usage document will not appear on the ECS docs site. This logic is handled in the AsciiDoc generator scripts, `scripts/generators/asciidoc_fields.py`. + +## Template + +The following is a simple AsciiDoc template as a starting point: + +```asciidoc + +[[ecs-fieldset-usage]] +==== Fieldset Usage + +Add relevant text here. + +[discrete] +===== New Section header + +Text for the new section. + +[discrete] +===== Examples + +[source,sh] +----------- +{ + "key": "value" +} +----------- + +``` diff --git a/scripts/generators/asciidoc_fields.py b/scripts/generators/asciidoc_fields.py index 2aa6f4a8cd..e5e2262bd0 100644 --- a/scripts/generators/asciidoc_fields.py +++ b/scripts/generators/asciidoc_fields.py @@ -72,6 +72,15 @@ def sort_fields(fieldset): return sorted(fields_list, key=lambda field: field['name']) +def check_for_usage_doc(fieldset_name, usage_file_list=ecs_helpers.usage_doc_files()): + """Checks if a usage doc exists for the specified + fieldset. + + :param fieldset_name: The name of the target fieldset + """ + return f"{fieldset_name}.asciidoc" in usage_file_list + + def templated(template_name): """Decorator function to simplify rendering a template. @@ -138,10 +147,12 @@ def generate_field_details_page(fieldset): sorted_reuse_fields = render_fieldset_reuse_text(fieldset) render_nestings_reuse_fields = render_nestings_reuse_section(fieldset) sorted_fields = sort_fields(fieldset) + usage_doc = check_for_usage_doc(fieldset.get('name')) return dict(fieldset=fieldset, sorted_reuse_fields=sorted_reuse_fields, render_nestings_reuse_section=render_nestings_reuse_fields, - sorted_fields=sorted_fields) + sorted_fields=sorted_fields, + usage_doc=usage_doc) # Allowed values section diff --git a/scripts/generators/ecs_helpers.py b/scripts/generators/ecs_helpers.py index 275c0569ac..2da446f3e3 100644 --- a/scripts/generators/ecs_helpers.py +++ b/scripts/generators/ecs_helpers.py @@ -2,6 +2,7 @@ import os import yaml import git +import pathlib import warnings from collections import OrderedDict @@ -113,6 +114,14 @@ def get_tree_by_ref(ref): return commit.tree +def usage_doc_files(): + usage_docs_dir = os.path.join(os.path.dirname(__file__), '../../docs/usage') + usage_docs_path = pathlib.Path(usage_docs_dir) + if usage_docs_path.is_dir(): + return [x.name for x in usage_docs_path.glob('*.asciidoc') if x.is_file()] + return [] + + def ecs_files(): """Return the schema file list to load""" schema_glob = os.path.join(os.path.dirname(__file__), '../../schemas/*.yml') diff --git a/scripts/templates/field_details.j2 b/scripts/templates/field_details.j2 index 1ceedf55e0..3eef363fa8 100644 --- a/scripts/templates/field_details.j2 +++ b/scripts/templates/field_details.j2 @@ -4,6 +4,12 @@ {{ fieldset['description']|replace("\n", "\n\n") }} +{%- if usage_doc %} + +Find additional usage and examples in the {{ fieldset['name'] }} fields <> section. + +{% endif %} + {# Field Details Table Header -#} [discrete] ==== {{ fieldset['title'] }} Field Details @@ -113,4 +119,9 @@ Note also that the `{{ fieldset['name'] }}` fields are not expected to be used d |===== {% endif %}{# if 'nestings' #} -{%- endif %}{# if 'nestings' or 'reusable' in fieldset #} +{%- endif -%}{# if 'nestings' or 'reusable' in fieldset #} +{%- if usage_doc %} + +include::usage/{{ fieldset['name'] }}.asciidoc[] + +{% endif %} diff --git a/scripts/tests/test_asciidoc_fields.py b/scripts/tests/test_asciidoc_fields.py index 1a099a9958..2fbec15e84 100644 --- a/scripts/tests/test_asciidoc_fields.py +++ b/scripts/tests/test_asciidoc_fields.py @@ -127,6 +127,16 @@ def test_rendering_fieldset_nesting(self): self.assertEqual('as', foo_nesting_fields[0]['name']) self.assertEqual('Fields describing an AS', foo_nesting_fields[0]['short']) + def test_check_for_usage_doc_true(self): + usage_files = ["foo.asciidoc"] + foo_name = self.foo_fieldset.get('name') + self.assertTrue(asciidoc_fields.check_for_usage_doc(foo_name, usage_file_list=usage_files)) + + def test_check_for_usage_doc_false(self): + usage_files = ["notfoo.asciidoc"] + foo_name = self.foo_fieldset.get('name') + self.assertFalse(asciidoc_fields.check_for_usage_doc(foo_name, usage_file_list=usage_files)) + if __name__ == '__main__': unittest.main() From 35764fa143d9fd4c840e3332b716c484a39ac313 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Fri, 16 Oct 2020 18:01:37 -0500 Subject: [PATCH 27/90] [1.x] feat: include alias path when generating template (#877) (#1035) Co-authored-by: Richard Gomez <32133502+rgmz@users.noreply.github.com> --- CHANGELOG.next.md | 2 ++ schemas/README.md | 12 ++++++++++++ scripts/generators/beats.py | 2 +- scripts/generators/es_template.py | 2 ++ scripts/schema/cleaner.py | 6 ++++++ scripts/tests/test_es_template.py | 13 +++++++++++++ scripts/tests/unit/test_schema_cleaner.py | 7 +++++++ 7 files changed, 43 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index ef52884095..0df635da67 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -28,6 +28,8 @@ Thanks, you're awesome :-) --> #### Added +* Added the `path` key when type is `alias`, to support the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). #877 + #### Improvements #### Deprecated diff --git a/schemas/README.md b/schemas/README.md index c87be195a3..88440c0354 100644 --- a/schemas/README.md +++ b/schemas/README.md @@ -151,6 +151,18 @@ Supported keys to describe expected values for a field Optionally, entries in this list can specify 'expected\_event\_types'. - expected\_event\_types: list of expected "event.type" values to use in association with that category. + +Supported keys when using the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html) + +```YAML + - name: a_field + level: extended + type: alias + path: another_field + description: > + An alias of another field. +``` +- path (optional): The full path to the [aliases' target field](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html#alias-targets). #### Multi\_fields diff --git a/scripts/generators/beats.py b/scripts/generators/beats.py index f305261407..457fecc5ec 100644 --- a/scripts/generators/beats.py +++ b/scripts/generators/beats.py @@ -34,7 +34,7 @@ def fieldset_field_array(source_fields, df_whitelist, fieldset_prefix): allowed_keys = ['name', 'level', 'required', 'type', 'object_type', 'ignore_above', 'multi_fields', 'format', 'input_format', 'output_format', 'output_precision', 'description', - 'example', 'enabled', 'index'] + 'example', 'enabled', 'index', 'path'] multi_fields_allowed_keys = ['name', 'type', 'norms', 'default_field', 'normalizer', 'ignore_above'] fields = [] diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py index 5bf264a784..08e925f0ae 100644 --- a/scripts/generators/es_template.py +++ b/scripts/generators/es_template.py @@ -59,6 +59,8 @@ def entry_for(field): ecs_helpers.dict_copy_existing_keys(field, field_entry, ['ignore_above']) elif field['type'] == 'text': ecs_helpers.dict_copy_existing_keys(field, field_entry, ['norms']) + elif field['type'] == 'alias': + ecs_helpers.dict_copy_existing_keys(field, field_entry, ['path']) if 'multi_fields' in field: field_entry['fields'] = {} diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py index 5f15d459fe..fa5838cbb7 100644 --- a/scripts/schema/cleaner.py +++ b/scripts/schema/cleaner.py @@ -158,6 +158,12 @@ def field_mandatory_attributes(field): return current_field_attributes = sorted(field['field_details'].keys()) missing_attributes = ecs_helpers.list_subtract(FIELD_MANDATORY_ATTRIBUTES, current_field_attributes) + + # The `alias` type requires a target path. + # https://github.com/elastic/ecs/issues/876 + if field['field_details'].get('type') == 'alias' and 'path' not in current_field_attributes: + missing_attributes.append('path') + if len(missing_attributes) > 0: msg = "Field is missing the following mandatory attributes: {}.\nFound these: {}.\nField details: {}" raise ValueError(msg.format(', '.join(missing_attributes), diff --git a/scripts/tests/test_es_template.py b/scripts/tests/test_es_template.py index 9ff4c30306..9136f8b99e 100644 --- a/scripts/tests/test_es_template.py +++ b/scripts/tests/test_es_template.py @@ -109,6 +109,19 @@ def test_entry_for_index(self): } self.assertEqual(es_template.entry_for(test_map), exp) + def test_entry_for_alias(self): + test_map = { + 'name': 'test.alias', + 'type': 'alias', + 'path': 'alias.target' + } + + exp = { + 'type': 'alias', + 'path': 'alias.target' + } + self.assertEqual(es_template.entry_for(test_map), exp) + if __name__ == '__main__': unittest.main() diff --git a/scripts/tests/unit/test_schema_cleaner.py b/scripts/tests/unit/test_schema_cleaner.py index 8298a32bb3..ba86728e2d 100644 --- a/scripts/tests/unit/test_schema_cleaner.py +++ b/scripts/tests/unit/test_schema_cleaner.py @@ -157,6 +157,13 @@ def test_field_raises_on_missing_required_attributes(self): "mandatory attributes: {}".format(missing_attribute)): cleaner.field_mandatory_attributes(field) + def test_field_raises_on_alias_missing_path_attribute(self): + field = self.schema_process()['process']['fields']['pid'] + field['field_details']['type'] = "alias" + with self.assertRaisesRegex(ValueError, + "mandatory attributes: {}".format("path")): + cleaner.field_mandatory_attributes(field) + def test_field_simple_cleanup(self): my_field = { 'field_details': { From a173cda2e3ecb19963974c5c1ab4d23062e6eaaa Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 28 Oct 2020 12:12:58 -0500 Subject: [PATCH 28/90] [1.x] Add support for `scaling_factor` in the generator (#1042) (#1055) Co-authored-by: Mathieu Martin --- CHANGELOG.next.md | 1 + scripts/generators/beats.py | 2 +- scripts/generators/es_template.py | 2 ++ scripts/schema/cleaner.py | 6 ++++-- scripts/tests/test_es_template.py | 13 +++++++++++++ scripts/tests/unit/test_schema_cleaner.py | 7 +++++++ 6 files changed, 28 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 0df635da67..2d4e349ec7 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -29,6 +29,7 @@ Thanks, you're awesome :-) --> #### Added * Added the `path` key when type is `alias`, to support the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). #877 +* Added support for `scaled_float`'s mandatory parameter `scaling_factor`. #1042 #### Improvements diff --git a/scripts/generators/beats.py b/scripts/generators/beats.py index 457fecc5ec..0d182b40db 100644 --- a/scripts/generators/beats.py +++ b/scripts/generators/beats.py @@ -34,7 +34,7 @@ def fieldset_field_array(source_fields, df_whitelist, fieldset_prefix): allowed_keys = ['name', 'level', 'required', 'type', 'object_type', 'ignore_above', 'multi_fields', 'format', 'input_format', 'output_format', 'output_precision', 'description', - 'example', 'enabled', 'index', 'path'] + 'example', 'enabled', 'index', 'path', 'scaling_factor'] multi_fields_allowed_keys = ['name', 'type', 'norms', 'default_field', 'normalizer', 'ignore_above'] fields = [] diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py index 08e925f0ae..9fed37ee05 100644 --- a/scripts/generators/es_template.py +++ b/scripts/generators/es_template.py @@ -61,6 +61,8 @@ def entry_for(field): ecs_helpers.dict_copy_existing_keys(field, field_entry, ['norms']) elif field['type'] == 'alias': ecs_helpers.dict_copy_existing_keys(field, field_entry, ['path']) + elif field['type'] == 'scaled_float': + ecs_helpers.dict_copy_existing_keys(field, field_entry, ['scaling_factor']) if 'multi_fields' in field: field_entry['fields'] = {} diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py index fa5838cbb7..ab3acfcaeb 100644 --- a/scripts/schema/cleaner.py +++ b/scripts/schema/cleaner.py @@ -159,10 +159,12 @@ def field_mandatory_attributes(field): current_field_attributes = sorted(field['field_details'].keys()) missing_attributes = ecs_helpers.list_subtract(FIELD_MANDATORY_ATTRIBUTES, current_field_attributes) - # The `alias` type requires a target path. - # https://github.com/elastic/ecs/issues/876 + # `alias` fields require a target `path` attribute. if field['field_details'].get('type') == 'alias' and 'path' not in current_field_attributes: missing_attributes.append('path') + # `scaled_float` fields require a `scaling_factor` attribute. + if field['field_details'].get('type') == 'scaled_float' and 'scaling_factor' not in current_field_attributes: + missing_attributes.append('scaling_factor') if len(missing_attributes) > 0: msg = "Field is missing the following mandatory attributes: {}.\nFound these: {}.\nField details: {}" diff --git a/scripts/tests/test_es_template.py b/scripts/tests/test_es_template.py index 9136f8b99e..a1491d2241 100644 --- a/scripts/tests/test_es_template.py +++ b/scripts/tests/test_es_template.py @@ -122,6 +122,19 @@ def test_entry_for_alias(self): } self.assertEqual(es_template.entry_for(test_map), exp) + def test_entry_for_scaled_float(self): + test_map = { + 'name': 'test.scaled_float', + 'type': 'scaled_float', + 'scaling_factor': 1000 + } + + exp = { + 'type': 'scaled_float', + 'scaling_factor': 1000 + } + self.assertEqual(es_template.entry_for(test_map), exp) + if __name__ == '__main__': unittest.main() diff --git a/scripts/tests/unit/test_schema_cleaner.py b/scripts/tests/unit/test_schema_cleaner.py index ba86728e2d..13f78c4e91 100644 --- a/scripts/tests/unit/test_schema_cleaner.py +++ b/scripts/tests/unit/test_schema_cleaner.py @@ -164,6 +164,13 @@ def test_field_raises_on_alias_missing_path_attribute(self): "mandatory attributes: {}".format("path")): cleaner.field_mandatory_attributes(field) + def test_raises_on_missing_scaling_factor(self): + field = self.schema_process()['process']['fields']['pid'] + field['field_details']['type'] = "scaled_float" + with self.assertRaisesRegex(ValueError, + "mandatory attributes: {}".format("scaling_factor")): + cleaner.field_mandatory_attributes(field) + def test_field_simple_cleanup(self): my_field = { 'field_details': { From 5afd0a586f6421b6c59626fd99ee110f0e8687e2 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 28 Oct 2020 12:37:49 -0500 Subject: [PATCH 29/90] [1.x] Add fallback for constant_keyword (#1046) (#1056) Co-authored-by: Mathieu Martin --- CHANGELOG.next.md | 1 + scripts/schema/oss.py | 6 ++++-- scripts/tests/unit/test_schema_oss.py | 11 ++++++++++- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 2d4e349ec7..4cbd2bb895 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -30,6 +30,7 @@ Thanks, you're awesome :-) --> * Added the `path` key when type is `alias`, to support the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). #877 * Added support for `scaled_float`'s mandatory parameter `scaling_factor`. #1042 +* Added ability for --oss flag to fall back `constant_keyword` to `keyword`. #1046 #### Improvements diff --git a/scripts/schema/oss.py b/scripts/schema/oss.py index ba38a254b1..bfc07bb071 100644 --- a/scripts/schema/oss.py +++ b/scripts/schema/oss.py @@ -13,6 +13,7 @@ from schema import visitor TYPE_FALLBACKS = { + 'constant_keyword': 'keyword', 'wildcard': 'keyword', 'version': 'keyword' } @@ -25,5 +26,6 @@ def fallback(fields): def perform_fallback(field): """Performs a best effort fallback of basic data types to equivalent OSS data types.""" - if field['field_details']['type'] in TYPE_FALLBACKS.keys(): - field['field_details']['type'] = TYPE_FALLBACKS[field['field_details']['type']] + fallback_type = TYPE_FALLBACKS.get(field['field_details']['type']) + if fallback_type: + field['field_details']['type'] = fallback_type diff --git a/scripts/tests/unit/test_schema_oss.py b/scripts/tests/unit/test_schema_oss.py index 4ac08d9d08..910b7959ca 100644 --- a/scripts/tests/unit/test_schema_oss.py +++ b/scripts/tests/unit/test_schema_oss.py @@ -14,6 +14,8 @@ class TestSchemaOss(unittest.TestCase): def setUp(self): self.maxDiff = None + # Fallbacks + def test_wildcard_fallback(self): field = {'field_details': {'name': 'myfield', 'type': 'wildcard'}} oss.perform_fallback(field) @@ -24,12 +26,19 @@ def test_version_fallback(self): oss.perform_fallback(field) self.assertEqual('keyword', field['field_details']['type']) + def test_constant_keyword_fallback(self): + field = {'field_details': {'name': 'myfield', 'type': 'constant_keyword'}} + oss.perform_fallback(field) + self.assertEqual('keyword', field['field_details']['type']) + + # Not falling back + def test_basic_without_fallback(self): field = {'field_details': {'name': 'myfield', 'type': 'histogram'}} oss.perform_fallback(field) self.assertEqual('histogram', field['field_details']['type']) - def test_oss_no_fallback(self): + def test_oss_no_fallback_needed(self): field = {'field_details': {'name': 'myfield', 'type': 'keyword'}} oss.perform_fallback(field) self.assertEqual('keyword', field['field_details']['type']) From 7ef838baa1507e612754f0d45730382f9fbe9dd8 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 28 Oct 2020 12:51:40 -0500 Subject: [PATCH 30/90] [1.x] Add wildcard type support to go code generator (#1050) (#1057) * add wildcard type support * also add version and constant_keyword * changelog --- CHANGELOG.next.md | 1 + scripts/cmd/gocodegen/gocodegen.go | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 4cbd2bb895..78dad60ec5 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -31,6 +31,7 @@ Thanks, you're awesome :-) --> * Added the `path` key when type is `alias`, to support the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). #877 * Added support for `scaled_float`'s mandatory parameter `scaling_factor`. #1042 * Added ability for --oss flag to fall back `constant_keyword` to `keyword`. #1046 +* Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050 #### Improvements diff --git a/scripts/cmd/gocodegen/gocodegen.go b/scripts/cmd/gocodegen/gocodegen.go index c202691ce0..8fff5ed5d9 100644 --- a/scripts/cmd/gocodegen/gocodegen.go +++ b/scripts/cmd/gocodegen/gocodegen.go @@ -274,7 +274,7 @@ func goDataType(fieldName, elasticsearchDataType string) string { } switch elasticsearchDataType { - case "keyword", "text", "ip", "geo_point": + case "keyword", "wildcard", "version", "constant_keyword", "text", "ip", "geo_point": return "string" case "long": return "int64" From a28ee14cb1b56fd1310dd1b9da511a6065bc831a Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 29 Oct 2020 12:41:14 -0400 Subject: [PATCH 31/90] [1.x] New default make task that generates main and experimental artifacts. (#1041) (#1060) Also changing the order of the 'generate' task: it now starts with the new generator, then runs the legacy scripts. --- Makefile | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 07f0442421..67ee219d8a 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # # Variables # -.DEFAULT_GOAL := generate +.DEFAULT_GOAL := all FIND := find . -type f -not -path './build/*' -not -path './.git/*' FORCE_GO_MODULES := GO111MODULE=on OPEN_DOCS ?= "--open" @@ -12,6 +12,10 @@ VERSION := $(shell cat version) # Targets (sorted alphabetically) # +# Default build generates main and experimental artifacts +.PHONY: all +all: generate experimental + # Check verifies that all of the committed files that are generated are # up-to-date. .PHONY: check @@ -60,7 +64,7 @@ fmt: ve # Alias to generate everything. .PHONY: generate -generate: legacy_use_cases codegen generator +generate: generator legacy_use_cases codegen $(PYTHON) --version # Run the new generator From 52de713ad586938d110ca49cb41c1d3579eabd02 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Mon, 2 Nov 2020 13:02:04 -0500 Subject: [PATCH 32/90] [1.x] Change the index pattern in the sample template. (#1048) (#1068) --- CHANGELOG.md | 5 +++ .../generated/elasticsearch/7/template.json | 2 +- generated/elasticsearch/6/template.json | 2 +- generated/elasticsearch/7/template.json | 2 +- generated/elasticsearch/README.md | 41 ++++++++++++++----- scripts/generators/es_template.py | 2 +- 6 files changed, 39 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2ee6329197..a1927875df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,11 @@ All notable changes to this project will be documented in this file based on the ### Tooling and Artifact Changes +#### Breaking changes + +* Changed the index pattern of the sample Elasticsearch template from `ecs-*` to + `try-ecs-*` to avoid conflicting with Logstash' `ecs-logstash-*`. #1048 + #### Bugfixes * Addressed issue where foreign reuses weren't using the user-supplied `as` value for their destination. #960 diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index f4fdf59c7c..a75360b36d 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -1,6 +1,6 @@ { "index_patterns": [ - "ecs-*" + "try-ecs-*" ], "mappings": { "_meta": { diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index ead8e6ee27..1392c740e3 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1,6 +1,6 @@ { "index_patterns": [ - "ecs-*" + "try-ecs-*" ], "mappings": { "_doc": { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index bd5fcd8a20..fe43b9ed19 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1,6 +1,6 @@ { "index_patterns": [ - "ecs-*" + "try-ecs-*" ], "mappings": { "_meta": { diff --git a/generated/elasticsearch/README.md b/generated/elasticsearch/README.md index 062afac1f9..40579d141c 100644 --- a/generated/elasticsearch/README.md +++ b/generated/elasticsearch/README.md @@ -3,33 +3,52 @@ Crafting the perfect Elasticsearch template is an art. But here's a good starting point for experimentation. +When you're ready to customize this template to the precise needs of your use case, +please check out [USAGE.md](../../USAGE.md). + +## Notes on index naming + +This sample Elasticsearch template will apply to any index named `try-ecs-*`. +This is good for experimentation. + +Note that an index following ECS can be named however you need. There's no requirement +to have "ecs" in the index name. + ## Instructions -Load the template from your shell +If you want to play with a specific version of ECS, check out the proper branch first. + +``` +git checkout 1.6 +``` + +Load the template in Elasticsearch from your shell. ```bash # Elasticsearch 7 -curl -XPOST 'localhost:9200/_template/ecs-test' --header "Content-Type: application/json" \ +curl -XPOST 'localhost:9200/_template/try-ecs' \ + --header "Content-Type: application/json" \ -d @'generated/elasticsearch/7/template.json' # or Elasticsearch 6 -curl -XPOST 'localhost:9200/_template/ecs-test' --header "Content-Type: application/json" \ +curl -XPOST 'localhost:9200/_template/try-ecs' \ + --header "Content-Type: application/json" \ -d @'generated/elasticsearch/6/template.json' ``` Play from Kibana Dev Tools ``` -# 👀 -GET _template/ecs-test +# Look at the template you just uploaded 👀 +GET _template/try-ecs -# index -PUT ecs-test -GET ecs-test -POST ecs-test/_doc -{ "@timestamp": "2019-02-26T22:38:39.000Z", "message": "Hello ECS World", "host": { "ip": "10.42.42.42"} } +# index a document +PUT try-ecs-test +GET try-ecs-test +POST try-ecs-test/_doc +{ "@timestamp": "2020-10-26T22:38:39.000Z", "message": "Hello ECS World", "host": { "ip": "10.42.42.42"} } # enjoy -GET ecs-test/_search +GET try-ecs-test/_search { "query": { "term": { "host.ip": "10.0.0.0/8" } } } ``` diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py index 9fed37ee05..13498cef9d 100644 --- a/scripts/generators/es_template.py +++ b/scripts/generators/es_template.py @@ -109,7 +109,7 @@ def save_json(file, data): def default_template_settings(): return { - "index_patterns": ["ecs-*"], + "index_patterns": ["try-ecs-*"], "order": 1, "settings": { "index": { From 1703ac8711f14295b1acb576184faad2dfdb1f3d Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 4 Nov 2020 15:20:09 -0500 Subject: [PATCH 33/90] [1.x] Prepare link to Logs docs changing with the 7.10 release in "getting-started" (#1073) (#1079) Co-authored-by: EamonnTP --- docs/using-getting-started.asciidoc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/using-getting-started.asciidoc b/docs/using-getting-started.asciidoc index 8e322d7428..c81521a783 100644 --- a/docs/using-getting-started.asciidoc +++ b/docs/using-getting-started.asciidoc @@ -285,5 +285,10 @@ Here are some examples of additional fields processed by metadata or parser proc We've covered at a high level how to map your events to ECS. Now if you'd like your events to render well in the Elastic solutions, check out the reference guides below to learn more about each: -* {logs-guide}/logs-fields-reference.html[Logs Monitoring Field Reference] +ifeval::["{branch}"=="7.9"] +* {logs-guide}/logs-fields-reference.html[Log Monitoring Field Reference] +endif::[] +ifeval::["{branch}"!="7.9"] +* {observability-guide}/logs-app-fields.html[Log Monitoring Field Reference] +endif::[] * {security-guide}/siem-field-reference.html[Elastic Security Field Reference] From 7bad0b05ba160af02874651c0a94c7bdcefdc06f Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 4 Nov 2020 15:21:08 -0500 Subject: [PATCH 34/90] [1.x] Prepare link to Logs docs changing with the 7.10 release in "products-solutions" page (#1074) (#1083) Co-authored-by: EamonnTP --- docs/products-solutions.asciidoc | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/products-solutions.asciidoc b/docs/products-solutions.asciidoc index a8fca573cd..945653779f 100644 --- a/docs/products-solutions.asciidoc +++ b/docs/products-solutions.asciidoc @@ -9,10 +9,14 @@ The following Elastic products support ECS out of the box, as of version 7.0: ** {security-guide}/siem-field-reference.html[Elastic Security Field Reference] - a list of ECS fields used in the SIEM app * https://www.elastic.co/products/endpoint-security[Elastic Endpoint Security Server] -* {logs-guide}/logs-app-overview.html[Logs Monitoring] +ifeval::["{branch}"=="7.9"] +* {logs-guide}/logs-app-overview.html[Log Monitoring] +endif::[] +ifeval::["{branch}"!="7.9"] +* {observability-guide}/monitor-logs.html[Log Monitoring] +endif::[] * Log formatters that support ECS out of the box for various languages can be found https://github.com/elastic/ecs-logging/blob/master/README.md[here]. // TODO Insert community & partner solutions here - From b4bbe72d5a3c06b25e2764a31f0df7d5aac9cb94 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 4 Nov 2020 15:58:23 -0600 Subject: [PATCH 35/90] [1.x] Add event.category session. (#1049) (#1093) Co-authored-by: Mathieu Martin --- CHANGELOG.next.md | 2 ++ docs/field-details.asciidoc | 2 +- docs/field-values.asciidoc | 13 +++++++++++++ experimental/generated/ecs/ecs_flat.yml | 10 ++++++++++ experimental/generated/ecs/ecs_nested.yml | 10 ++++++++++ generated/ecs/ecs_flat.yml | 10 ++++++++++ generated/ecs/ecs_nested.yml | 10 ++++++++++ schemas/event.yml | 9 +++++++++ 8 files changed, 65 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 78dad60ec5..099d9a5037 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -10,6 +10,8 @@ Thanks, you're awesome :-) --> ### Schema Changes +* Added `event.category` "session". #1049 + #### Breaking changes #### Bugfixes diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index f961b6fa89..a89a0bf6e1 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1597,7 +1597,7 @@ Note: this field should contain an array of values. *Important*: The field value must be one of the following: -authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, web +authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, session, web To learn more about when to use which value, visit the page <> diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index 1ef4b8e072..653b031cc2 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -144,6 +144,7 @@ that will require subsequent breaking changes. * <> * <> * <> +* <> * <> [float] @@ -298,6 +299,18 @@ Use this category of events to visualize and analyze process-specific informatio access, change, end, info, start +[float] +[[ecs-event-category-session]] +==== session + +The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. + + +*Expected event types for category session:* + +start, end, info + + [float] [[ecs-event-category-web]] ==== web diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 13a7c32325..28898f42e2 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1774,6 +1774,16 @@ event.category: - info - start name: process + - description: The session category is applied to events and metrics regarding logical + persistent connections to hosts and services. Use this category to visualize + and analyze interactive or automated persistent connections between assets. + Data for this category may come from Windows Event logs, SSH logs, or stateless + sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index bfb2df366d..f17cc20d19 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2168,6 +2168,16 @@ event: - info - start name: process + - description: The session category is applied to events and metrics regarding + logical persistent connections to hosts and services. Use this category + to visualize and analyze interactive or automated persistent connections + between assets. Data for this category may come from Windows Event logs, + SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 81a1ee4950..d085df9e87 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1814,6 +1814,16 @@ event.category: - info - start name: process + - description: The session category is applied to events and metrics regarding logical + persistent connections to hosts and services. Use this category to visualize + and analyze interactive or automated persistent connections between assets. + Data for this category may come from Windows Event logs, SSH logs, or stateless + sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 1ca8779d5e..3bb3ce663b 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2209,6 +2209,16 @@ event: - info - start name: process + - description: The session category is applied to events and metrics regarding + logical persistent connections to hosts and services. Use this category + to visualize and analyze interactive or automated persistent connections + between assets. Data for this category may come from Windows Event logs, + SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also diff --git a/schemas/event.yml b/schemas/event.yml index 6778790784..b4add99818 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -277,6 +277,15 @@ - end - info - start + - name: session + description: > + The session category is applied to events and metrics regarding logical persistent connections to hosts and services. + Use this category to visualize and analyze interactive or automated persistent connections between assets. + Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info - name: web description: > Relating to web server access. Use this category to create a dashboard of From 46210a5b8c484ba28386047a7b6199898e929b15 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 4 Nov 2020 16:12:37 -0600 Subject: [PATCH 36/90] [1.x] Add event.category registry (#1040) (#1094) Co-authored-by: Mathieu Martin --- CHANGELOG.next.md | 5 +++-- docs/field-details.asciidoc | 2 +- docs/field-values.asciidoc | 13 +++++++++++++ experimental/generated/ecs/ecs_flat.yml | 9 +++++++++ experimental/generated/ecs/ecs_nested.yml | 9 +++++++++ generated/ecs/ecs_flat.yml | 9 +++++++++ generated/ecs/ecs_nested.yml | 9 +++++++++ schemas/event.yml | 9 +++++++++ 8 files changed, 62 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 099d9a5037..bfd5ff6cc4 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -10,14 +10,15 @@ Thanks, you're awesome :-) --> ### Schema Changes -* Added `event.category` "session". #1049 - #### Breaking changes #### Bugfixes #### Added +* Added `event.category` "registry". #1040 +* Added `event.category` "session". #1049 + #### Improvements #### Deprecated diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index a89a0bf6e1..ddcb587a24 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1597,7 +1597,7 @@ Note: this field should contain an array of values. *Important*: The field value must be one of the following: -authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, session, web +authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, registry, session, web To learn more about when to use which value, visit the page <> diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index 653b031cc2..6f3adc1c26 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -144,6 +144,7 @@ that will require subsequent breaking changes. * <> * <> * <> +* <> * <> * <> @@ -299,6 +300,18 @@ Use this category of events to visualize and analyze process-specific informatio access, change, end, info, start +[float] +[[ecs-event-category-registry]] +==== registry + +Having to do with settings and assets stored in the Windows registry. Use this category to visualize and analyze activity such as registry access and modifications. + + +*Expected event types for category registry:* + +access, change, creation, deletion + + [float] [[ecs-event-category-session]] ==== session diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 28898f42e2..b07d2ba201 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1774,6 +1774,15 @@ event.category: - info - start name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry - description: The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index f17cc20d19..ebd19083ed 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2168,6 +2168,15 @@ event: - info - start name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry - description: The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index d085df9e87..9447fa982b 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1814,6 +1814,15 @@ event.category: - info - start name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry - description: The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 3bb3ce663b..ca9424eaed 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2209,6 +2209,15 @@ event: - info - start name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry - description: The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections diff --git a/schemas/event.yml b/schemas/event.yml index b4add99818..45128fcf4a 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -277,6 +277,15 @@ - end - info - start + - name: registry + description: > + Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access and modifications. + expected_event_types: + - access + - change + - creation + - deletion - name: session description: > The session category is applied to events and metrics regarding logical persistent connections to hosts and services. From 1c457b56c6d8fd14b03168b5dae9261da80c8d0b Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 10 Nov 2020 09:15:51 -0600 Subject: [PATCH 37/90] [1.x] Add --ref support for experimental artifacts (#1063) (#1101) Co-authored-by: Mathieu Martin --- CHANGELOG.md | 1 + USAGE.md | 18 +++++++- scripts/generator.py | 3 +- scripts/generators/ecs_helpers.py | 8 ++++ scripts/schema/loader.py | 26 +++++++++--- scripts/tests/test_ecs_helpers.py | 8 ++++ scripts/tests/unit/test_schema_loader.py | 52 ++++++++++++++++++++++++ 7 files changed, 108 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a1927875df..23f6728c36 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -51,6 +51,7 @@ All notable changes to this project will be documented in this file based on the * Field details Jinja2 template components have been consolidated into one template #897 * Add `[discrete]` marker before each section header in field details. #989 +* `--ref` now loads `experimental/schemas` based on git ref in addition to `schemas`. #1063 ## [1.6.0](https://github.com/elastic/ecs/compare/v1.5.0...v1.6.0) diff --git a/USAGE.md b/USAGE.md index cb0c49bf27..aadf24b526 100644 --- a/USAGE.md +++ b/USAGE.md @@ -188,6 +188,8 @@ And looking at a specific artifact, `../myprojects/out/generated/elasticsearch/7 ... ``` +Include can be used together with the `--ref` flag to merge custom fields into a targeted ECS version. See [`Ref`](#ref). + > NOTE: The `--include` mechanism will not validate custom YAML files prior to merging. This allows for modifying existing ECS fields in a custom schema without having to redefine all the mandatory field attributes. #### Subset @@ -235,12 +237,26 @@ It's also possible to combine `--include` and `--subset` together! Do note that #### Ref -The `--ref` argument allows for passing a specific `git` tag (e.g. `v.1.5.0`) or commit hash (`1454f8b`) that will be used to build ECS artifacts. +The `--ref` argument allows for passing a specific `git` tag (e.g. `v1.5.0`) or commit hash (`1454f8b`) that will be used to build ECS artifacts. ``` $ python scripts/generator.py --ref v1.5.0 ``` +The `--ref` argument loads field definitions from the specified git reference (branch, tag, etc.) from directories [`./schemas`](./schemas) and [`./experimental/schemas`](./experimental/schemas) (when specified via `--include`). + +Here's another example loading both ECS fields and [experimental](experimental/README.md) changes *from branch "1.7"*, then adds custom fields on top. + +``` +$ python scripts/generator.py --ref 1.7 --include experimental/schemas ../myproject/fields/custom --out ../myproject/out +``` + +The command above will produce artifacts based on: + +* main ECS field definitions as of branch 1.7 +* experimental ECS changes as of branch 1.7 +* custom fields in `../myproject/fields/custom` as they are on the filesystem + > Note: `--ref` does have a dependency on `git` being installed and all expected commits/tags fetched from the ECS upstream repo. This will unlikely be an issue unless you downloaded the ECS as a zip archive from GitHub vs. cloning it. #### Mapping & Template Settings diff --git a/scripts/generator.py b/scripts/generator.py index b6dcf05db9..0db252648d 100644 --- a/scripts/generator.py +++ b/scripts/generator.py @@ -63,7 +63,8 @@ def main(): def argument_parser(): parser = argparse.ArgumentParser() - parser.add_argument('--ref', action='store', help='git reference to use when building schemas') + parser.add_argument('--ref', action='store', help='Loads fields definitions from `./schemas` subdirectory from specified git reference. \ + Note that "--include experimental/schemas" will also respect this git ref.') parser.add_argument('--include', nargs='+', help='include user specified directory of custom field definitions') parser.add_argument('--subset', nargs='+', diff --git a/scripts/generators/ecs_helpers.py b/scripts/generators/ecs_helpers.py index 2da446f3e3..801319854c 100644 --- a/scripts/generators/ecs_helpers.py +++ b/scripts/generators/ecs_helpers.py @@ -114,6 +114,14 @@ def get_tree_by_ref(ref): return commit.tree +def path_exists_in_git_tree(tree, file_path): + try: + _ = tree[file_path] + except KeyError: + return False + return True + + def usage_doc_files(): usage_docs_dir = os.path.join(os.path.dirname(__file__), '../../docs/usage') usage_docs_path = pathlib.Path(usage_docs_dir) diff --git a/scripts/schema/loader.py b/scripts/schema/loader.py index 16895babbe..e953834d97 100644 --- a/scripts/schema/loader.py +++ b/scripts/schema/loader.py @@ -51,9 +51,18 @@ def load_schemas(ref=None, included_files=[]): schema_files_raw = load_schema_files(ecs_helpers.ecs_files()) fields = deep_nesting_representation(schema_files_raw) - # Custom additional files (never from git ref) + EXPERIMENTAL_SCHEMA_DIR = 'experimental/schemas' + + # Custom additional files if included_files and len(included_files) > 0: print('Loading user defined schemas: {0}'.format(included_files)) + # If --ref provided and --include loading experimental schemas + if ref and EXPERIMENTAL_SCHEMA_DIR in included_files: + exp_schema_files_raw = load_schemas_from_git(ref, target_dir=EXPERIMENTAL_SCHEMA_DIR) + exp_fields = deep_nesting_representation(exp_schema_files_raw) + fields = merge_fields(fields, exp_fields) + included_files.remove(EXPERIMENTAL_SCHEMA_DIR) + # Remaining additional custom files (never from git ref) custom_files = ecs_helpers.get_glob_files(included_files, ecs_helpers.YAML_EXT) custom_fields = deep_nesting_representation(load_schema_files(custom_files)) fields = merge_fields(fields, custom_fields) @@ -68,13 +77,18 @@ def load_schema_files(files): return fields_nested -def load_schemas_from_git(ref): +def load_schemas_from_git(ref, target_dir='schemas'): tree = ecs_helpers.get_tree_by_ref(ref) fields_nested = {} - for blob in tree['schemas'].blobs: - if blob.name.endswith('.yml'): - new_fields = read_schema_blob(blob, ref) - fields_nested = ecs_helpers.safe_merge_dicts(fields_nested, new_fields) + + # Handles case if target dir doesn't exists in git ref + if ecs_helpers.path_exists_in_git_tree(tree, target_dir): + for blob in tree[target_dir].blobs: + if blob.name.endswith('.yml'): + new_fields = read_schema_blob(blob, ref) + fields_nested = ecs_helpers.safe_merge_dicts(fields_nested, new_fields) + else: + raise KeyError(f"Target directory './{target_dir}' not present in git ref '{ref}'!") return fields_nested diff --git a/scripts/tests/test_ecs_helpers.py b/scripts/tests/test_ecs_helpers.py index 2eb5ff0254..79b554ad95 100644 --- a/scripts/tests/test_ecs_helpers.py +++ b/scripts/tests/test_ecs_helpers.py @@ -99,11 +99,19 @@ def test_list_subtract(self): self.assertEqual(ecs_helpers.list_subtract(['a', 'b'], ['a']), ['b']) self.assertEqual(ecs_helpers.list_subtract(['a', 'b'], ['a', 'c']), ['b']) + # git helper tests + def test_get_tree_by_ref(self): ref = 'v1.5.0' tree = ecs_helpers.get_tree_by_ref(ref) self.assertEqual(tree.hexsha, '4449df245f6930d59bcd537a5958891261a9476b') + def test_path_exists_in_git_tree(self): + ref = 'v1.6.0' + tree = ecs_helpers.get_tree_by_ref(ref) + self.assertFalse(ecs_helpers.path_exists_in_git_tree(tree, 'nonexistant')) + self.assertTrue(ecs_helpers.path_exists_in_git_tree(tree, 'schemas')) + if __name__ == '__main__': unittest.main() diff --git a/scripts/tests/unit/test_schema_loader.py b/scripts/tests/unit/test_schema_loader.py index edd585c011..de3a718bd5 100644 --- a/scripts/tests/unit/test_schema_loader.py +++ b/scripts/tests/unit/test_schema_loader.py @@ -79,6 +79,21 @@ def test_load_schemas_no_custom(self): fields['process']['fields']['thread'].keys(), "Fields containing nested fields should at least have the 'fields' subkey") + def test_load_schemas_git_ref(self): + fields = loader.load_schemas(ref='v1.6.0') + self.assertEqual( + ['field_details', 'fields', 'schema_details'], + sorted(fields['process'].keys()), + "Schemas should have 'field_details', 'fields' and 'schema_details' subkeys") + self.assertEqual( + ['field_details'], + list(fields['process']['fields']['pid'].keys()), + "Leaf fields should have only the 'field_details' subkey") + self.assertIn( + 'fields', + fields['process']['fields']['thread'].keys(), + "Fields containing nested fields should at least have the 'fields' subkey") + @mock.patch('schema.loader.read_schema_file') def test_load_schemas_fail_on_accidental_fieldset_redefinition(self, mock_read_schema): mock_read_schema.side_effect = [ @@ -124,6 +139,43 @@ def test_nest_schema_raises_on_missing_schema_name(self): with self.assertRaisesRegex(ValueError, 'incomplete.yml'): loader.nest_schema([{'description': 'just a description'}], 'incomplete.yml') + def test_load_schemas_from_git(self): + fields = loader.load_schemas_from_git('v1.0.0', target_dir='schemas') + self.assertEqual( + ['agent', + 'base', + 'client', + 'cloud', + 'container', + 'destination', + 'ecs', + 'error', + 'event', + 'file', + 'geo', + 'group', + 'host', + 'http', + 'log', + 'network', + 'observer', + 'organization', + 'os', + 'process', + 'related', + 'server', + 'service', + 'source', + 'url', + 'user', + 'user_agent'], + sorted(fields.keys()), + "Raw schema fields should have expected fieldsets for v1.0.0") + + def test_load_schemas_from_git_missing_target_directory(self): + with self.assertRaisesRegex(KeyError, "not present in git ref 'v1.5.0'"): + loader.load_schemas_from_git('v1.5.0', target_dir='experimental') + # nesting stuff def test_nest_fields(self): From ec51a8d7c8805756f6c2eca8ffdc235156333504 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 10 Nov 2020 12:28:54 -0600 Subject: [PATCH 38/90] [1.x] Remove experimental event.original definition (#1053) (#1104) --- CHANGELOG.md | 1 + experimental/generated/beats/fields.ecs.yml | 3 ++- experimental/generated/csv/fields.csv | 2 +- experimental/generated/ecs/ecs_flat.yml | 3 ++- experimental/generated/ecs/ecs_nested.yml | 3 ++- experimental/generated/elasticsearch/7/template.json | 3 ++- experimental/schemas/event.yml | 5 ----- 7 files changed, 10 insertions(+), 10 deletions(-) delete mode 100644 experimental/schemas/event.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 23f6728c36..57c3f891d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,6 +36,7 @@ All notable changes to this project will be documented in this file based on the #### Bugfixes * Addressed issue where foreign reuses weren't using the user-supplied `as` value for their destination. #960 +* Experimental artifacts failed to install due to `event.original` index setting. #1053 #### Added diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index da99874ab5..cb8b834dd1 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1317,7 +1317,8 @@ example: apache - name: original level: core - type: wildcard + type: keyword + ignore_above: 1024 description: 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 15b7de8404..95d72bce73 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -149,7 +149,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. 1.8.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. 1.8.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -1.8.0-dev,false,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +1.8.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. 1.8.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. 1.8.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. 1.8.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index b07d2ba201..85fbad3e10 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -2038,12 +2038,13 @@ event.original: example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 flat_name: event.original + ignore_above: 1024 index: false level: core name: original normalize: [] short: Raw text message of entire event. - type: wildcard + type: keyword event.outcome: allowed_values: - description: Indicates that this event describes a failed result. A common example diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index ebd19083ed..1c6533c1a9 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2436,12 +2436,13 @@ event: example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 flat_name: event.original + ignore_above: 1024 index: false level: core name: original normalize: [] short: Raw text message of entire event. - type: wildcard + type: keyword event.outcome: allowed_values: - description: Indicates that this event describes a failed result. A common diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index a75360b36d..46d059dfd8 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -706,8 +706,9 @@ }, "original": { "doc_values": false, + "ignore_above": 1024, "index": false, - "type": "wildcard" + "type": "keyword" }, "outcome": { "ignore_above": 1024, diff --git a/experimental/schemas/event.yml b/experimental/schemas/event.yml deleted file mode 100644 index 07daa3ac87..0000000000 --- a/experimental/schemas/event.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: event - fields: - - name: original - type: wildcard From b91b60b1e72ce7cc1097fb5d9ad96ff2d03451c6 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 10 Nov 2020 13:40:19 -0600 Subject: [PATCH 39/90] [1.x] Add missing `process.thread.name` to experimental definitions (#1103) (#1106) --- CHANGELOG.md | 4 ++-- experimental/generated/beats/fields.ecs.yml | 6 ++---- experimental/generated/csv/fields.csv | 4 ++-- experimental/generated/ecs/ecs_flat.yml | 6 ++---- experimental/generated/ecs/ecs_nested.yml | 6 ++---- experimental/generated/elasticsearch/7/template.json | 6 ++---- experimental/schemas/process.yml | 2 ++ 7 files changed, 14 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 57c3f891d8..956b2a75b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ All notable changes to this project will be documented in this file based on the * Added network directions ingress and egress. #945 * Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951 * Added `configuration` as an allowed `event.category`. #963 +* Added a new directory with experimental artifacts, which includes all changes + from RFCs that have reached stage 2. #993, #1053 #### Improvements @@ -45,8 +47,6 @@ All notable changes to this project will be documented in this file based on the * Added `ignore_above` and `normalizer` support for keyword multi-fields. #971 * Added ability to supply free-form usage documentation per fieldset. #988 * Added `--oss` flag for users who want to generate ECS templates for use on OSS clusters. #991 -* Added a new directory with experimental artifacts, which includes all changes - from RFCs that have reached stage 2. #993 #### Improvements diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index cb8b834dd1..26ec99ba27 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -3566,8 +3566,7 @@ default_field: false - name: parent.thread.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Thread name. example: thread-0 default_field: false @@ -3681,8 +3680,7 @@ example: 4242 - name: thread.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Thread name. example: thread-0 - name: title diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 95d72bce73..11c3aa4455 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -413,7 +413,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. 1.8.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 1.8.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -1.8.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. +1.8.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. 1.8.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title. 1.8.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. 1.8.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. @@ -431,7 +431,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. 1.8.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 1.8.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. -1.8.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. +1.8.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. 1.8.0-dev,true,process,process.title,wildcard,extended,,,Process title. 1.8.0-dev,true,process,process.title.text,text,extended,,,Process title. 1.8.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 85fbad3e10..7a92b47716 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -5385,13 +5385,12 @@ process.parent.thread.name: description: Thread name. example: thread-0 flat_name: process.parent.thread.name - ignore_above: 1024 level: extended name: thread.name normalize: [] original_fieldset: process short: Thread name. - type: keyword + type: wildcard process.parent.title: dashed_name: process-parent-title description: 'Process title. @@ -5582,12 +5581,11 @@ process.thread.name: description: Thread name. example: thread-0 flat_name: process.thread.name - ignore_above: 1024 level: extended name: thread.name normalize: [] short: Thread name. - type: keyword + type: wildcard process.title: dashed_name: process-title description: 'Process title. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 1c6533c1a9..da428dae70 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -6427,13 +6427,12 @@ process: description: Thread name. example: thread-0 flat_name: process.parent.thread.name - ignore_above: 1024 level: extended name: thread.name normalize: [] original_fieldset: process short: Thread name. - type: keyword + type: wildcard process.parent.title: dashed_name: process-parent-title description: 'Process title. @@ -6624,12 +6623,11 @@ process: description: Thread name. example: thread-0 flat_name: process.thread.name - ignore_above: 1024 level: extended name: thread.name normalize: [] short: Thread name. - type: keyword + type: wildcard process.title: dashed_name: process-title description: 'Process title. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 46d059dfd8..42f2f98039 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -1904,8 +1904,7 @@ "type": "long" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -1981,8 +1980,7 @@ "type": "long" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, diff --git a/experimental/schemas/process.yml b/experimental/schemas/process.yml index da492e4564..e759e97e86 100644 --- a/experimental/schemas/process.yml +++ b/experimental/schemas/process.yml @@ -7,6 +7,8 @@ type: wildcard - name: name type: wildcard + - name: thread.name + type: wildcard - name: title type: wildcard - name: working_directory From 08b63c3143e6d40f56218cc8303c7df9e3855349 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 12 Nov 2020 14:50:28 -0600 Subject: [PATCH 40/90] [1.x] Remove index parameter for wildcard fields (#1115) (#1119) --- CHANGELOG.md | 2 +- experimental/generated/beats/fields.ecs.yml | 1 - experimental/generated/ecs/ecs_flat.yml | 1 - experimental/generated/ecs/ecs_nested.yml | 1 - schemas/README.md | 5 +++-- scripts/schema/cleaner.py | 3 +++ scripts/tests/unit/test_schema_cleaner.py | 4 ++++ 7 files changed, 11 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 956b2a75b5..8e77fe6b0b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ All notable changes to this project will be documented in this file based on the * Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951 * Added `configuration` as an allowed `event.category`. #963 * Added a new directory with experimental artifacts, which includes all changes - from RFCs that have reached stage 2. #993, #1053 + from RFCs that have reached stage 2. #993, #1053, #1115 #### Improvements diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 26ec99ba27..e94a371c98 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1160,7 +1160,6 @@ norms: false default_field: false description: The stack trace of this error in plain text. - index: true - name: type level: extended type: wildcard diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 7a92b47716..3c14cf04a3 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1599,7 +1599,6 @@ error.stack_trace: dashed_name: error-stack-trace description: The stack trace of this error in plain text. flat_name: error.stack_trace - index: true level: extended multi_fields: - flat_name: error.stack_trace.text diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index da428dae70..f7a2bc93ae 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1971,7 +1971,6 @@ error: dashed_name: error-stack-trace description: The stack trace of this error in plain text. flat_name: error.stack_trace - index: true level: extended multi_fields: - flat_name: error.stack_trace.text diff --git a/schemas/README.md b/schemas/README.md index 88440c0354..39b18f4bd7 100644 --- a/schemas/README.md +++ b/schemas/README.md @@ -129,7 +129,8 @@ Supported keys to describe fields Example values that are composite types (array, object) should be quoted to avoid YAML interpretation in ECS-generated artifacts and other downstream projects depending on the schema. - multi\_fields (optional): Specify additional ways to index the field. -- index (optional): If `False`, means field is not indexed (overrides type) +- index (optional): If `False`, means field is not indexed (overrides type). This parameter has no effect + on a `wildcard` field. - format: Field format that can be used in a Kibana index template. - normalize: Normalization steps that should be applied at ingestion time. Supported values: - array: the content of the field should be an array (even when there's only one value). @@ -151,7 +152,7 @@ Supported keys to describe expected values for a field Optionally, entries in this list can specify 'expected\_event\_types'. - expected\_event\_types: list of expected "event.type" values to use in association with that category. - + Supported keys when using the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html) ```YAML diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py index ab3acfcaeb..185d0abedc 100644 --- a/scripts/schema/cleaner.py +++ b/scripts/schema/cleaner.py @@ -144,6 +144,9 @@ def field_or_multi_field_datatype_defaults(field_details): field_details.setdefault('ignore_above', 1024) if field_details['type'] == 'text': field_details.setdefault('norms', False) + # wildcard needs the index param stripped + if field_details['type'] == 'wildcard': + field_details.pop('index', None) if 'index' in field_details and not field_details['index']: field_details.setdefault('doc_values', False) diff --git a/scripts/tests/unit/test_schema_cleaner.py b/scripts/tests/unit/test_schema_cleaner.py index 13f78c4e91..bc3dbdc621 100644 --- a/scripts/tests/unit/test_schema_cleaner.py +++ b/scripts/tests/unit/test_schema_cleaner.py @@ -223,6 +223,10 @@ def test_field_defaults(self): cleaner.field_defaults({'field_details': field_details}) self.assertEqual(field_details['doc_values'], False) + field_details = {**field_min_details, **{'type': 'wildcard', 'index': True}} + cleaner.field_defaults({'field_details': field_details}) + self.assertNotIn('index', field_details) + def test_field_defaults_dont_override(self): field_details = { 'description': 'description', From 16df1c6ac7a2c132c75c118d2214fc147d1cf0f7 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 12 Nov 2020 15:30:22 -0600 Subject: [PATCH 41/90] [1.x] Add dns.answer object into experimental schema (#1118) (#1121) --- CHANGELOG.md | 2 +- experimental/generated/beats/fields.ecs.yml | 13 +++++++++++++ experimental/generated/csv/fields.csv | 1 + experimental/generated/ecs/ecs_flat.yml | 19 +++++++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 19 +++++++++++++++++++ .../generated/elasticsearch/7/template.json | 3 ++- experimental/schemas/dns.yml | 2 ++ 7 files changed, 57 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8e77fe6b0b..fe5c780742 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ All notable changes to this project will be documented in this file based on the * Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951 * Added `configuration` as an allowed `event.category`. #963 * Added a new directory with experimental artifacts, which includes all changes - from RFCs that have reached stage 2. #993, #1053, #1115 + from RFCs that have reached stage 2. #993, #1053, #1115, #1118 #### Improvements diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index e94a371c98..121c8524c9 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -967,6 +967,19 @@ (`dns.type:answer`).' type: group fields: + - name: answers + level: extended + type: object + description: 'An array containing an object for each answer section returned + by the server. + + The main keys that should be present in these objects are defined by ECS. + Records that have more information may contain more keys than what ECS defines. + + Not all DNS data sources give all details about DNS answers. At minimum, answer + objects must contain the `data` key. If more information is available, map + as much of it to ECS as possible, and add any additional fields to the answer + objects as custom fields.' - name: answers.class level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 11c3aa4455..64d8bf60c3 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -113,6 +113,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. 1.8.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 1.8.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.8.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. 1.8.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. 1.8.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. 1.8.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 3c14cf04a3..e67d668343 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1318,6 +1318,25 @@ dll.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword +dns.answers: + dashed_name: dns-answers + description: 'An array containing an object for each answer section returned by + the server. + + The main keys that should be present in these objects are defined by ECS. Records + that have more information may contain more keys than what ECS defines. + + Not all DNS data sources give all details about DNS answers. At minimum, answer + objects must contain the `data` key. If more information is available, map as + much of it to ECS as possible, and add any additional fields to the answer objects + as custom fields.' + flat_name: dns.answers + level: extended + name: answers + normalize: + - array + short: Array of DNS answers. + type: object dns.answers.class: dashed_name: dns-answers-class description: The class of DNS data contained in this resource record. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index f7a2bc93ae..7b14063c20 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1667,6 +1667,25 @@ dns: (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).' fields: + dns.answers: + dashed_name: dns-answers + description: 'An array containing an object for each answer section returned + by the server. + + The main keys that should be present in these objects are defined by ECS. + Records that have more information may contain more keys than what ECS defines. + + Not all DNS data sources give all details about DNS answers. At minimum, answer + objects must contain the `data` key. If more information is available, map + as much of it to ECS as possible, and add any additional fields to the answer + objects as custom fields.' + flat_name: dns.answers + level: extended + name: answers + normalize: + - array + short: Array of DNS answers. + type: object dns.answers.class: dashed_name: dns-answers-class description: The class of DNS data contained in this resource record. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 42f2f98039..ce1fd20d23 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -568,7 +568,8 @@ "ignore_above": 1024, "type": "keyword" } - } + }, + "type": "object" }, "header_flags": { "ignore_above": 1024, diff --git a/experimental/schemas/dns.yml b/experimental/schemas/dns.yml index 54f9ccd69a..466859c09f 100644 --- a/experimental/schemas/dns.yml +++ b/experimental/schemas/dns.yml @@ -3,5 +3,7 @@ fields: - name: question.name type: wildcard + - name: answers + type: object - name: answers.data type: wildcard From 1a83782481d45a8d1ceb8ae293db808addc54af8 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 12 Nov 2020 16:42:51 -0500 Subject: [PATCH 42/90] [1.x] Clarify x509 definition guidance for network events with only one cert (#1114) (#1123) --- CHANGELOG.md | 2 ++ code/go/ecs/x509.go | 13 +++++++------ docs/field-details.asciidoc | 6 +++++- experimental/generated/beats/fields.ecs.yml | 17 ++++++++++------- experimental/generated/ecs/ecs_nested.yml | 16 +++++++++------- generated/beats/fields.ecs.yml | 17 ++++++++++------- generated/ecs/ecs_nested.yml | 16 +++++++++------- schemas/x509.yml | 10 ++++++---- 8 files changed, 58 insertions(+), 39 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fe5c780742..8ab66b71dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,6 +27,8 @@ All notable changes to this project will be documented in this file based on the * Provided better guidance for mapping network events. #969 * Added the field `.subdomain` under `client`, `destination`, `server`, `source` and `url`, to match its presence at `dns.question.subdomain`. #981 +* Clarified ambiguity in guidance on how to use x509 fields for connections with + only one certificate. #1114 ### Tooling and Artifact Changes diff --git a/code/go/ecs/x509.go b/code/go/ecs/x509.go index 99d916a641..d3509dda98 100644 --- a/code/go/ecs/x509.go +++ b/code/go/ecs/x509.go @@ -26,12 +26,13 @@ import ( // This implements the common core fields for x509 certificates. This // information is likely logged with TLS sessions, digital signatures found in // executable binaries, S/MIME information in email bodies, or analysis of -// files on disk. When only a single certificate is logged in an event, it -// should be nested under `file`. When hashes of the DER-encoded certificate -// are available, the `hash` data set should be populated as well (e.g. -// `file.hash.sha256`). For events that contain certificate information for -// both sides of the connection, the x509 object could be nested under the -// respective side of the connection information (e.g. `tls.server.x509`). +// files on disk. +// When the certificate relates to a file, use the fields at `file.x509`. When +// hashes of the DER-encoded certificate are available, the `hash` data set +// should be populated as well (e.g. `file.hash.sha256`). +// Events that contain certificate information about network connections, +// should use the x509 fields under the relevant TLS fields: `tls.server.x509` +// and/or `tls.client.x509`. type X509 struct { // Version of x509 format. VersionNumber string `ecs:"version_number"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index ddcb587a24..25f01313b3 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -6957,7 +6957,11 @@ example: `Critical` [[ecs-x509]] === x509 Certificate Fields -This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. + +When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). + +Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. [discrete] ==== x509 Certificate Field Details diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 121c8524c9..b04eb8a437 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -5895,15 +5895,18 @@ - name: x509 title: x509 Certificate group: 2 - description: This implements the common core fields for x509 certificates. This + description: 'This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files - on disk. When only a single certificate is logged in an event, it should be - nested under `file`. When hashes of the DER-encoded certificate are available, - the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For - events that contain certificate information for both sides of the connection, - the x509 object could be nested under the respective side of the connection - information (e.g. `tls.server.x509`). + on disk. + + When the certificate relates to a file, use the fields at `file.x509`. When + hashes of the DER-encoded certificate are available, the `hash` data set should + be populated as well (e.g. `file.hash.sha256`). + + Events that contain certificate information about network connections, should + use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or + `tls.client.x509`.' type: group fields: - name: alternative_names diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 7b14063c20..57b2385bee 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -10393,14 +10393,16 @@ vulnerability: title: Vulnerability type: group x509: - description: This implements the common core fields for x509 certificates. This + description: 'This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable - binaries, S/MIME information in email bodies, or analysis of files on disk. When - only a single certificate is logged in an event, it should be nested under `file`. - When hashes of the DER-encoded certificate are available, the `hash` data set - should be populated as well (e.g. `file.hash.sha256`). For events that contain - certificate information for both sides of the connection, the x509 object could - be nested under the respective side of the connection information (e.g. `tls.server.x509`). + binaries, S/MIME information in email bodies, or analysis of files on disk. + + When the certificate relates to a file, use the fields at `file.x509`. When hashes + of the DER-encoded certificate are available, the `hash` data set should be populated + as well (e.g. `file.hash.sha256`). + + Events that contain certificate information about network connections, should + use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.' fields: x509.alternative_names: dashed_name: x509-alternative-names diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index e4b1f1bb45..f1e073d6b1 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5765,15 +5765,18 @@ - name: x509 title: x509 Certificate group: 2 - description: This implements the common core fields for x509 certificates. This + description: 'This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files - on disk. When only a single certificate is logged in an event, it should be - nested under `file`. When hashes of the DER-encoded certificate are available, - the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For - events that contain certificate information for both sides of the connection, - the x509 object could be nested under the respective side of the connection - information (e.g. `tls.server.x509`). + on disk. + + When the certificate relates to a file, use the fields at `file.x509`. When + hashes of the DER-encoded certificate are available, the `hash` data set should + be populated as well (e.g. `file.hash.sha256`). + + Events that contain certificate information about network connections, should + use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or + `tls.client.x509`.' type: group fields: - name: alternative_names diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index ca9424eaed..f8b86c0ee0 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -10084,14 +10084,16 @@ vulnerability: title: Vulnerability type: group x509: - description: This implements the common core fields for x509 certificates. This + description: 'This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable - binaries, S/MIME information in email bodies, or analysis of files on disk. When - only a single certificate is logged in an event, it should be nested under `file`. - When hashes of the DER-encoded certificate are available, the `hash` data set - should be populated as well (e.g. `file.hash.sha256`). For events that contain - certificate information for both sides of the connection, the x509 object could - be nested under the respective side of the connection information (e.g. `tls.server.x509`). + binaries, S/MIME information in email bodies, or analysis of files on disk. + + When the certificate relates to a file, use the fields at `file.x509`. When hashes + of the DER-encoded certificate are available, the `hash` data set should be populated + as well (e.g. `file.hash.sha256`). + + Events that contain certificate information about network connections, should + use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.' fields: x509.alternative_names: dashed_name: x509-alternative-names diff --git a/schemas/x509.yml b/schemas/x509.yml index 06209dcbeb..124551c96c 100644 --- a/schemas/x509.yml +++ b/schemas/x509.yml @@ -6,10 +6,12 @@ description: > This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. - When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded - certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that - contain certificate information for both sides of the connection, the x509 object could be nested under the respective - side of the connection information (e.g. `tls.server.x509`). + + When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded + certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). + + Events that contain certificate information about network connections, should use the x509 fields + under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. type: group reusable: top_level: false From 28a3a69f4e67ca01812c02a4fbb3b0a9bb3209ff Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 12 Nov 2020 16:48:47 -0500 Subject: [PATCH 43/90] [1.x] Indicate when artifacts include experimental changes (#1117) (#1125) --- CHANGELOG.md | 2 +- experimental/generated/beats/fields.ecs.yml | 2 +- experimental/generated/csv/fields.csv | 1440 ++++++++--------- .../generated/elasticsearch/7/template.json | 2 +- scripts/generator.py | 4 + scripts/schema/loader.py | 5 +- 6 files changed, 730 insertions(+), 725 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ab66b71dc..49e89c52b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ All notable changes to this project will be documented in this file based on the * Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951 * Added `configuration` as an allowed `event.category`. #963 * Added a new directory with experimental artifacts, which includes all changes - from RFCs that have reached stage 2. #993, #1053, #1115, #1118 + from RFCs that have reached stage 2. #993, #1053, #1115, #1117, #1118 #### Improvements diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index b04eb8a437..e524abdb11 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.8.0-dev. +# based on ECS version 1.8.0-dev+exp. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 64d8bf60c3..c732a60600 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1,721 +1,721 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -1.8.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -1.8.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -1.8.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. -1.8.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -1.8.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -1.8.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -1.8.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -1.8.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -1.8.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -1.8.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -1.8.0-dev,true,client,client.address,keyword,extended,,,Client network address. -1.8.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.8.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.8.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -1.8.0-dev,true,client,client.domain,wildcard,core,,,Client domain. -1.8.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev,true,client,client.ip,ip,core,,,IP address of the client. -1.8.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. -1.8.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -1.8.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port -1.8.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -1.8.0-dev,true,client,client.port,long,core,,,Port of the client. -1.8.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -1.8.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. -1.8.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,client,client.user.email,wildcard,extended,,,User email address. -1.8.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. -1.8.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. -1.8.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. -1.8.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -1.8.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. -1.8.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -1.8.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. -1.8.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. -1.8.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. -1.8.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. -1.8.0-dev,true,container,container.id,keyword,core,,,Unique container id. -1.8.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. -1.8.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. -1.8.0-dev,true,container,container.labels,object,extended,,,Image labels. -1.8.0-dev,true,container,container.name,keyword,extended,,,Container name. -1.8.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. -1.8.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. -1.8.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.8.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.8.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -1.8.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain. -1.8.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. -1.8.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. -1.8.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -1.8.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -1.8.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -1.8.0-dev,true,destination,destination.port,long,core,,,Port of the destination. -1.8.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -1.8.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. -1.8.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address. -1.8.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.8.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.8.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.8.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.8.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. -1.8.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. -1.8.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. -1.8.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. -1.8.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. -1.8.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.8.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.8.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.8.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.8.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.8.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.8.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. -1.8.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -1.8.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. -1.8.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. -1.8.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. -1.8.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -1.8.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. -1.8.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -1.8.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. -1.8.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -1.8.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. -1.8.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." -1.8.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. -1.8.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -1.8.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data -1.8.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. -1.8.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." -1.8.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -1.8.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. -1.8.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. -1.8.0-dev,true,error,error.message,text,core,,,Error message. -1.8.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. -1.8.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. -1.8.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -1.8.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -1.8.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -1.8.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. -1.8.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -1.8.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -1.8.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -1.8.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -1.8.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -1.8.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -1.8.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -1.8.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -1.8.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -1.8.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -1.8.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -1.8.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. -1.8.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -1.8.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -1.8.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -1.8.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -1.8.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. -1.8.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. -1.8.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -1.8.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. -1.8.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -1.8.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -1.8.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. -1.8.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -1.8.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.8.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.8.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.8.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.8.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev,true,file,file.created,date,extended,,,File creation time. -1.8.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. -1.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -1.8.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. -1.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -1.8.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -1.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -1.8.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. -1.8.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. -1.8.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. -1.8.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. -1.8.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -1.8.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -1.8.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. -1.8.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. -1.8.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -1.8.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. -1.8.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.8.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.8.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.8.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.8.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.8.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.8.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.8.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.8.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. -1.8.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. -1.8.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. -1.8.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -1.8.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -1.8.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.8.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.8.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.8.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.8.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.8.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.8.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.8.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.8.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.8.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.8.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.8.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.8.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.8.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.8.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.8.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.8.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.8.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.8.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.8.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.8.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.8.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. -1.8.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,group,group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. -1.8.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -1.8.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host. -1.8.0-dev,true,host,host.id,keyword,core,,,Unique host id. -1.8.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. -1.8.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. -1.8.0-dev,true,host,host.name,keyword,core,,,Name of the host. -1.8.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.8.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.8.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.8.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.8.0-dev,true,host,host.type,keyword,core,,,Type of host. -1.8.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. -1.8.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,host,host.user.email,wildcard,extended,,,User email address. -1.8.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -1.8.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. -1.8.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. -1.8.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -1.8.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. -1.8.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -1.8.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. -1.8.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -1.8.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. -1.8.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. -1.8.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -1.8.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. -1.8.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -1.8.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. -1.8.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. -1.8.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. -1.8.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -1.8.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. -1.8.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. -1.8.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. -1.8.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." -1.8.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata -1.8.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. -1.8.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. -1.8.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. -1.8.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. -1.8.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. -1.8.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. -1.8.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -1.8.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -1.8.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -1.8.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -1.8.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -1.8.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information -1.8.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.8.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.8.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -1.8.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -1.8.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. -1.8.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -1.8.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -1.8.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.8.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.8.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information -1.8.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias -1.8.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID -1.8.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name -1.8.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.8.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.8.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone -1.8.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. -1.8.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information -1.8.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias -1.8.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID -1.8.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name -1.8.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.8.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.8.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone -1.8.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -1.8.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer -1.8.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -1.8.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.8.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.8.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.8.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.8.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. -1.8.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. -1.8.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. -1.8.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. -1.8.0-dev,true,observer,observer.version,keyword,core,,,Observer version. -1.8.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -1.8.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name. -1.8.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. -1.8.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. -1.8.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -1.8.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -1.8.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. -1.8.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." -1.8.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. -1.8.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license -1.8.0-dev,true,package,package.name,keyword,extended,,go,Package name -1.8.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -1.8.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL -1.8.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. -1.8.0-dev,true,package,package.type,keyword,extended,,rpm,Package type -1.8.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version -1.8.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -1.8.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. -1.8.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.8.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.8.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.8.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.8.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.8.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.8.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.8.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.8.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.8.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. -1.8.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. -1.8.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. -1.8.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. -1.8.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name. -1.8.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. -1.8.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -1.8.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -1.8.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.8.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.8.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.8.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.8.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.8.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.8.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.8.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.8.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.8.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. -1.8.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. -1.8.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. -1.8.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. -1.8.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name. -1.8.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. -1.8.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.8.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.8.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.8.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.8.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.8.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.8.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.8.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. -1.8.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. -1.8.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.8.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -1.8.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. -1.8.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title. -1.8.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. -1.8.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -1.8.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -1.8.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.8.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.8.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.8.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.8.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.8.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.8.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.8.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.8.0-dev,true,process,process.pid,long,core,,4242,Process id. -1.8.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. -1.8.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.8.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. -1.8.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. -1.8.0-dev,true,process,process.title,wildcard,extended,,,Process title. -1.8.0-dev,true,process,process.title.text,text,extended,,,Process title. -1.8.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -1.8.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -1.8.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.8.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -1.8.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -1.8.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -1.8.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -1.8.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -1.8.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -1.8.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. -1.8.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. -1.8.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. -1.8.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -1.8.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. -1.8.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author -1.8.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category -1.8.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description -1.8.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID -1.8.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license -1.8.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name -1.8.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -1.8.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset -1.8.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID -1.8.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version -1.8.0-dev,true,server,server.address,keyword,extended,,,Server network address. -1.8.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.8.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.8.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -1.8.0-dev,true,server,server.domain,wildcard,core,,,Server domain. -1.8.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev,true,server,server.ip,ip,core,,,IP address of the server. -1.8.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. -1.8.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip -1.8.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port -1.8.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -1.8.0-dev,true,server,server.port,long,core,,,Port of the server. -1.8.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -1.8.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. -1.8.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,server,server.user.email,wildcard,extended,,,User email address. -1.8.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -1.8.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -1.8.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. -1.8.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. -1.8.0-dev,true,service,service.state,keyword,core,,,Current state of the service. -1.8.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. -1.8.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. -1.8.0-dev,true,source,source.address,keyword,extended,,,Source network address. -1.8.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.8.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.8.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -1.8.0-dev,true,source,source.domain,wildcard,core,,,Source domain. -1.8.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev,true,source,source.ip,ip,core,,,IP address of the source. -1.8.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. -1.8.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip -1.8.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port -1.8.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -1.8.0-dev,true,source,source.port,long,core,,,Port of the source. -1.8.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -1.8.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. -1.8.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,source,source.user.email,wildcard,extended,,,User email address. -1.8.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -1.8.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -1.8.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. -1.8.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. -1.8.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. -1.8.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. -1.8.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. -1.8.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. -1.8.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. -1.8.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. -1.8.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. -1.8.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. -1.8.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. -1.8.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -1.8.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -1.8.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. -1.8.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. -1.8.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. -1.8.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -1.8.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -1.8.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -1.8.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -1.8.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -1.8.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -1.8.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -1.8.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. -1.8.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.8.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.8.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.8.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.8.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.8.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.8.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.8.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.8.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.8.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.8.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.8.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.8.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.8.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.8.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.8.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.8.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.8.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.8.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.8.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. -1.8.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." -1.8.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -1.8.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. -1.8.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -1.8.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -1.8.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. -1.8.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. -1.8.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. -1.8.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -1.8.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -1.8.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -1.8.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -1.8.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -1.8.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. -1.8.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.8.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.8.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.8.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.8.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.8.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.8.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.8.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.8.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.8.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.8.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.8.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.8.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.8.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.8.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.8.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.8.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.8.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.8.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.8.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. -1.8.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. -1.8.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. -1.8.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -1.8.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -1.8.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. -1.8.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url. -1.8.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -1.8.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.8.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.8.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.8.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.8.0-dev,true,url,url.password,keyword,extended,,,Password of the request. -1.8.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -1.8.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -1.8.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. -1.8.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -1.8.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -1.8.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. -1.8.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev,true,url,url.username,keyword,extended,,,Username of the request. -1.8.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address. -1.8.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address. -1.8.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,user,user.email,wildcard,extended,,,User email address. -1.8.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,user,user.target.email,wildcard,extended,,,User email address. -1.8.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -1.8.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -1.8.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.8.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.8.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.8.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.8.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.8.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.8.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. -1.8.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. -1.8.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. -1.8.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.8.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.8.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. -1.8.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. -1.8.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -1.8.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. -1.8.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. -1.8.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. -1.8.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. -1.8.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. -1.8.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. -1.8.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +1.8.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +1.8.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +1.8.0-dev+exp,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. +1.8.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +1.8.0-dev+exp,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +1.8.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +1.8.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +1.8.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +1.8.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +1.8.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +1.8.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address. +1.8.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.8.0-dev+exp,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.8.0-dev+exp,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.8.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +1.8.0-dev+exp,true,client,client.domain,wildcard,core,,,Client domain. +1.8.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev+exp,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.8.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client. +1.8.0-dev+exp,true,client,client.mac,keyword,core,,,MAC address of the client. +1.8.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +1.8.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port +1.8.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +1.8.0-dev+exp,true,client,client.port,long,core,,,Port of the client. +1.8.0-dev+exp,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +1.8.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +1.8.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev+exp,true,client,client.user.email,wildcard,extended,,,User email address. +1.8.0-dev+exp,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev+exp,true,client,client.user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev+exp,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +1.8.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +1.8.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. +1.8.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +1.8.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +1.8.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +1.8.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +1.8.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +1.8.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +1.8.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +1.8.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id. +1.8.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +1.8.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags. +1.8.0-dev+exp,true,container,container.labels,object,extended,,,Image labels. +1.8.0-dev+exp,true,container,container.name,keyword,extended,,,Container name. +1.8.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +1.8.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address. +1.8.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.8.0-dev+exp,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.8.0-dev+exp,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.8.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +1.8.0-dev+exp,true,destination,destination.domain,wildcard,core,,,Destination domain. +1.8.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev+exp,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.8.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination. +1.8.0-dev+exp,true,destination,destination.mac,keyword,core,,,MAC address of the destination. +1.8.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +1.8.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +1.8.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +1.8.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination. +1.8.0-dev+exp,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +1.8.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +1.8.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev+exp,true,destination,destination.user.email,wildcard,extended,,,User email address. +1.8.0-dev+exp,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev+exp,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev+exp,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.8.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.8.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.8.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.8.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.8.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +1.8.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +1.8.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +1.8.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +1.8.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +1.8.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +1.8.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.8.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.8.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.8.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.8.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.8.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.8.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers. +1.8.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +1.8.0-dev+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. +1.8.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +1.8.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +1.8.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +1.8.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +1.8.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +1.8.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +1.8.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +1.8.0-dev+exp,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. +1.8.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +1.8.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +1.8.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +1.8.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +1.8.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +1.8.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +1.8.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +1.8.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error. +1.8.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error. +1.8.0-dev+exp,true,error,error.message,text,core,,,Error message. +1.8.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +1.8.0-dev+exp,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +1.8.0-dev+exp,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +1.8.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +1.8.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +1.8.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event. +1.8.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +1.8.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +1.8.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +1.8.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +1.8.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +1.8.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +1.8.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +1.8.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +1.8.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +1.8.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +1.8.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +1.8.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event. +1.8.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +1.8.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +1.8.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +1.8.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +1.8.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event. +1.8.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event. +1.8.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +1.8.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone. +1.8.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +1.8.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +1.8.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed. +1.8.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.8.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.8.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.8.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.8.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.8.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.8.0-dev+exp,true,file,file.created,date,extended,,,File creation time. +1.8.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.8.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +1.8.0-dev+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +1.8.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.8.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +1.8.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.8.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +1.8.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +1.8.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +1.8.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +1.8.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +1.8.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.8.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +1.8.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.8.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified. +1.8.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.8.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username. +1.8.0-dev+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.8.0-dev+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.8.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.8.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.8.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.8.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.8.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.8.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.8.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes. +1.8.0-dev+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. +1.8.0-dev+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks. +1.8.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.8.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.8.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.8.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.8.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.8.0-dev+exp,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.8.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.8.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.8.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.8.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.8.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.8.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.8.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.8.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.8.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.8.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.8.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.8.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.8.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.8.0-dev+exp,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.8.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.8.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.8.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.8.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +1.8.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group. +1.8.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +1.8.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +1.8.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev+exp,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.8.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host. +1.8.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id. +1.8.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses. +1.8.0-dev+exp,true,host,host.mac,keyword,core,array,,Host mac addresses. +1.8.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host. +1.8.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.8.0-dev+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.8.0-dev+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.8.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.8.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. +1.8.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +1.8.0-dev+exp,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev+exp,true,host,host.user.email,wildcard,extended,,,User email address. +1.8.0-dev+exp,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev+exp,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev+exp,true,host,host.user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev+exp,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev+exp,true,host,host.user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev+exp,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +1.8.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. +1.8.0-dev+exp,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. +1.8.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +1.8.0-dev+exp,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. +1.8.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +1.8.0-dev+exp,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. +1.8.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +1.8.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. +1.8.0-dev+exp,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. +1.8.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +1.8.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +1.8.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +1.8.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version. +1.8.0-dev+exp,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +1.8.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event. +1.8.0-dev+exp,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +1.8.0-dev+exp,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. +1.8.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +1.8.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +1.8.0-dev+exp,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." +1.8.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata +1.8.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +1.8.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +1.8.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +1.8.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +1.8.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +1.8.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name. +1.8.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +1.8.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +1.8.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +1.8.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +1.8.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +1.8.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information +1.8.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.8.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.8.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +1.8.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +1.8.0-dev+exp,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. +1.8.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +1.8.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +1.8.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.8.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.8.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information +1.8.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +1.8.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +1.8.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +1.8.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.8.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.8.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +1.8.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev+exp,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.8.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +1.8.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information +1.8.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +1.8.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +1.8.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +1.8.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.8.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.8.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +1.8.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +1.8.0-dev+exp,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer +1.8.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +1.8.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.8.0-dev+exp,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev+exp,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.8.0-dev+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.8.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.8.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +1.8.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +1.8.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +1.8.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +1.8.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version. +1.8.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +1.8.0-dev+exp,true,organization,organization.name,wildcard,extended,,,Organization name. +1.8.0-dev+exp,true,organization,organization.name.text,text,extended,,,Organization name. +1.8.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +1.8.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +1.8.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +1.8.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +1.8.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +1.8.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed. +1.8.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +1.8.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name +1.8.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +1.8.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +1.8.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes. +1.8.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type +1.8.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version +1.8.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.8.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. +1.8.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.8.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.8.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.8.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.8.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.8.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.8.0-dev+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process. +1.8.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +1.8.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +1.8.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +1.8.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +1.8.0-dev+exp,true,process,process.name,wildcard,extended,,ssh,Process name. +1.8.0-dev+exp,true,process,process.name.text,text,extended,,ssh,Process name. +1.8.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.8.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +1.8.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.8.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.8.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.8.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.8.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.8.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.8.0-dev+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +1.8.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +1.8.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +1.8.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +1.8.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +1.8.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name. +1.8.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name. +1.8.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.8.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.8.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.8.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.8.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.8.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.8.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.8.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. +1.8.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. +1.8.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.8.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +1.8.0-dev+exp,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. +1.8.0-dev+exp,true,process,process.parent.title,wildcard,extended,,,Process title. +1.8.0-dev+exp,true,process,process.parent.title.text,text,extended,,,Process title. +1.8.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +1.8.0-dev+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +1.8.0-dev+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.8.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.8.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.8.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.8.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.8.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.8.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.8.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.8.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. +1.8.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid. +1.8.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.8.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID. +1.8.0-dev+exp,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. +1.8.0-dev+exp,true,process,process.title,wildcard,extended,,,Process title. +1.8.0-dev+exp,true,process,process.title.text,text,extended,,,Process title. +1.8.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +1.8.0-dev+exp,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +1.8.0-dev+exp,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.8.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.8.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.8.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.8.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.8.0-dev+exp,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.8.0-dev+exp,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.8.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +1.8.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +1.8.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +1.8.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +1.8.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names seen on your event. +1.8.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +1.8.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +1.8.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +1.8.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID +1.8.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +1.8.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +1.8.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +1.8.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +1.8.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +1.8.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version +1.8.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address. +1.8.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.8.0-dev+exp,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.8.0-dev+exp,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.8.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +1.8.0-dev+exp,true,server,server.domain,wildcard,core,,,Server domain. +1.8.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev+exp,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.8.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server. +1.8.0-dev+exp,true,server,server.mac,keyword,core,,,MAC address of the server. +1.8.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip +1.8.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port +1.8.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +1.8.0-dev+exp,true,server,server.port,long,core,,,Port of the server. +1.8.0-dev+exp,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +1.8.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +1.8.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev+exp,true,server,server.user.email,wildcard,extended,,,User email address. +1.8.0-dev+exp,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev+exp,true,server,server.user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev+exp,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +1.8.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +1.8.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +1.8.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +1.8.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service. +1.8.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +1.8.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service. +1.8.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address. +1.8.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.8.0-dev+exp,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.8.0-dev+exp,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.8.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +1.8.0-dev+exp,true,source,source.domain,wildcard,core,,,Source domain. +1.8.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +1.8.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +1.8.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.8.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +1.8.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.8.0-dev+exp,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.8.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.8.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +1.8.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source. +1.8.0-dev+exp,true,source,source.mac,keyword,core,,,MAC address of the source. +1.8.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip +1.8.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port +1.8.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +1.8.0-dev+exp,true,source,source.port,long,core,,,Port of the source. +1.8.0-dev+exp,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +1.8.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +1.8.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev+exp,true,source,source.user.email,wildcard,extended,,,User email address. +1.8.0-dev+exp,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev+exp,true,source,source.user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev+exp,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +1.8.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +1.8.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +1.8.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +1.8.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +1.8.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +1.8.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +1.8.0-dev+exp,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. +1.8.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +1.8.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +1.8.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +1.8.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. +1.8.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +1.8.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +1.8.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +1.8.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +1.8.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +1.8.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +1.8.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +1.8.0-dev+exp,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +1.8.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +1.8.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +1.8.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +1.8.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +1.8.0-dev+exp,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +1.8.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +1.8.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.8.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.8.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.8.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.8.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.8.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.8.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.8.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.8.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.8.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.8.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.8.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.8.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.8.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.8.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.8.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.8.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.8.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.8.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.8.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.8.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.8.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +1.8.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +1.8.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +1.8.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +1.8.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +1.8.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +1.8.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +1.8.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +1.8.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +1.8.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +1.8.0-dev+exp,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +1.8.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +1.8.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +1.8.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +1.8.0-dev+exp,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +1.8.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.8.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.8.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.8.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.8.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.8.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.8.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.8.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.8.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.8.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.8.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.8.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.8.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.8.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.8.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.8.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.8.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.8.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.8.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.8.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.8.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.8.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.8.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +1.8.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +1.8.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +1.8.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +1.8.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +1.8.0-dev+exp,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. +1.8.0-dev+exp,true,url,url.extension,keyword,extended,,png,File extension from the original request url. +1.8.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +1.8.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.8.0-dev+exp,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.8.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.8.0-dev+exp,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.8.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request. +1.8.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +1.8.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +1.8.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request. +1.8.0-dev+exp,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.8.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +1.8.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +1.8.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.8.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request. +1.8.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev+exp,true,user,user.changes.email,wildcard,extended,,,User email address. +1.8.0-dev+exp,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +1.8.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev+exp,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev+exp,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev+exp,true,user,user.effective.email,wildcard,extended,,,User email address. +1.8.0-dev+exp,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +1.8.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev+exp,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev+exp,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev+exp,true,user,user.email,wildcard,extended,,,User email address. +1.8.0-dev+exp,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group. +1.8.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev+exp,true,user,user.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev+exp,true,user,user.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,user,user.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev+exp,true,user,user.target.email,wildcard,extended,,,User email address. +1.8.0-dev+exp,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group. +1.8.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev+exp,true,user,user.target.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev+exp,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +1.8.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +1.8.0-dev+exp,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.8.0-dev+exp,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.8.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.8.0-dev+exp,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev+exp,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.8.0-dev+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.8.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.8.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +1.8.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +1.8.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +1.8.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.8.0-dev+exp,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.8.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +1.8.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +1.8.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +1.8.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +1.8.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +1.8.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +1.8.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +1.8.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +1.8.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +1.8.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index ce1fd20d23..e49b046ece 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -4,7 +4,7 @@ ], "mappings": { "_meta": { - "version": "1.8.0-dev" + "version": "1.8.0-dev+exp" }, "date_detection": false, "dynamic_templates": [ diff --git a/scripts/generator.py b/scripts/generator.py index 0db252648d..40d63e94cb 100644 --- a/scripts/generator.py +++ b/scripts/generator.py @@ -41,6 +41,10 @@ def main(): # statements like this after any step of interest. # ecs_helpers.yaml_dump('ecs.yml', fields) + # Detect usage of experimental changes to tweak artifact version label + if loader.EXPERIMENTAL_SCHEMA_DIR in args.include: + ecs_version += "+exp" + fields = loader.load_schemas(ref=args.ref, included_files=args.include) if args.oss: oss.fallback(fields) diff --git a/scripts/schema/loader.py b/scripts/schema/loader.py index e953834d97..07477551af 100644 --- a/scripts/schema/loader.py +++ b/scripts/schema/loader.py @@ -42,6 +42,9 @@ # Examples of this are 'dns.answers', 'observer.egress'. +EXPERIMENTAL_SCHEMA_DIR = 'experimental/schemas' + + def load_schemas(ref=None, included_files=[]): """Loads ECS and custom schemas. They are returned deeply nested and merged.""" # ECS fields (from git ref or not) @@ -51,8 +54,6 @@ def load_schemas(ref=None, included_files=[]): schema_files_raw = load_schema_files(ecs_helpers.ecs_files()) fields = deep_nesting_representation(schema_files_raw) - EXPERIMENTAL_SCHEMA_DIR = 'experimental/schemas' - # Custom additional files if included_files and len(included_files) > 0: print('Loading user defined schemas: {0}'.format(included_files)) From 27fe7e0e7e1412a827bd914a1c537662eb123ad6 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 18 Nov 2020 10:56:58 -0500 Subject: [PATCH 44/90] [1.x] Add os.type field, with list of allowed values (#1111) (#1130) --- CHANGELOG.next.md | 1 + code/go/ecs/os.go | 9 +++ docs/field-details.asciidoc | 17 ++++ experimental/generated/beats/fields.ecs.yml | 60 ++++++++++++++ experimental/generated/csv/fields.csv | 3 + experimental/generated/ecs/ecs_flat.yml | 57 +++++++++++++ experimental/generated/ecs/ecs_nested.yml | 79 +++++++++++++++++++ .../generated/elasticsearch/7/template.json | 12 +++ generated/beats/fields.ecs.yml | 60 ++++++++++++++ generated/csv/fields.csv | 3 + generated/ecs/ecs_flat.yml | 57 +++++++++++++ generated/ecs/ecs_nested.yml | 79 +++++++++++++++++++ generated/elasticsearch/6/template.json | 12 +++ generated/elasticsearch/7/template.json | 12 +++ schemas/os.yml | 14 ++++ 15 files changed, 475 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index bfd5ff6cc4..8b182475d3 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -18,6 +18,7 @@ Thanks, you're awesome :-) --> * Added `event.category` "registry". #1040 * Added `event.category` "session". #1049 +* Added `os.type`. #1111 #### Improvements diff --git a/code/go/ecs/os.go b/code/go/ecs/os.go index a118950bbf..3284a5357c 100644 --- a/code/go/ecs/os.go +++ b/code/go/ecs/os.go @@ -21,6 +21,15 @@ package ecs // The OS fields contain information about the operating system. type Os struct { + // Use the `os.type` field to categorize the operating system into one of + // the broad commercial families. + // One of these following values should be used (lowercase): linux, macos, + // unix, windows. + // If the OS you're dealing with is not in the list, the field should not + // be populated. Please let us know by opening an issue with ECS, to + // propose its addition. + Type string `ecs:"type"` + // Operating system platform (such centos, ubuntu, windows). Platform string `ecs:"platform"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 25f01313b3..ae14752657 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3930,6 +3930,23 @@ example: `darwin` // =============================================================== +| os.type +| Use the `os.type` field to categorize the operating system into one of the broad commercial families. + +One of these following values should be used (lowercase): linux, macos, unix, windows. + +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + + + +example: `macos` + +| extended + +// =============================================================== + | os.version | Operating system version as a raw string. diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index e524abdb11..e148421e5a 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -2181,6 +2181,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -2929,6 +2944,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -3034,6 +3064,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: version level: extended type: keyword @@ -5716,6 +5761,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index c732a60600..9e24de5181 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -251,6 +251,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.8.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 1.8.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 1.8.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. 1.8.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. @@ -342,6 +343,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.8.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 1.8.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 1.8.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. 1.8.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. @@ -703,6 +705,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.8.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 1.8.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 1.8.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. 1.8.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index e67d668343..5aefba80d3 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3423,6 +3423,25 @@ host.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -4559,6 +4578,25 @@ observer.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -8796,6 +8834,25 @@ user_agent.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 57b2385bee..977a5c2232 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -4086,6 +4086,26 @@ host: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -5339,6 +5359,26 @@ observer: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -5542,6 +5582,25 @@ os: normalize: [] short: Operating system platform (such centos, ubuntu, windows). type: keyword + os.type: + dashed_name: os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword os.version: dashed_name: os-version description: Operating system version as a raw string. @@ -10110,6 +10169,26 @@ user_agent: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index e49b046ece..1ae21ee498 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -1134,6 +1134,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1589,6 +1593,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -3237,6 +3245,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index f1e073d6b1..70ccffc264 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2214,6 +2214,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -2973,6 +2988,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -3081,6 +3111,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: version level: extended type: keyword @@ -5586,6 +5631,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 04f8d184ed..96637a3f4c 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -251,6 +251,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.8.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 1.8.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 1.8.0-dev,true,host,host.type,keyword,core,,,Type of host. 1.8.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. @@ -342,6 +343,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.8.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 1.8.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 1.8.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. 1.8.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. @@ -667,6 +669,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.8.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 1.8.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 1.8.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. 1.8.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 9447fa982b..78ef1eaec8 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3455,6 +3455,25 @@ host.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -4602,6 +4621,25 @@ observer.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -8503,6 +8541,25 @@ user_agent.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index f8b86c0ee0..1352e844e5 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4120,6 +4120,26 @@ host: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -5384,6 +5404,26 @@ observer: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -5590,6 +5630,25 @@ os: normalize: [] short: Operating system platform (such centos, ubuntu, windows). type: keyword + os.type: + dashed_name: os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword os.version: dashed_name: os-version description: Operating system version as a raw string. @@ -9801,6 +9860,26 @@ user_agent: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 1392c740e3..e36eb3038f 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1167,6 +1167,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1633,6 +1637,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -3161,6 +3169,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index fe43b9ed19..2abf80257d 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1166,6 +1166,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1632,6 +1636,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -3160,6 +3168,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" diff --git a/schemas/os.yml b/schemas/os.yml index 71bf1dd36e..8b8cfcdad7 100644 --- a/schemas/os.yml +++ b/schemas/os.yml @@ -13,6 +13,20 @@ type: group fields: + - name: type + level: extended + type: keyword + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + description: > + Use the `os.type` field to categorize the operating system into one of + the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, windows. + + If the OS you're dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition. + example: macos + - name: platform level: extended type: keyword From dce6348cf4dfb5d13e5e96c2113a9d16a4ec8cf0 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 18 Nov 2020 14:36:27 -0500 Subject: [PATCH 45/90] [1.x] Add support for constant_keyword's 'value' parameter (#1112) (#1132) --- CHANGELOG.next.md | 1 + scripts/generators/es_template.py | 2 ++ scripts/tests/test_es_template.py | 22 ++++++++++++++++++++++ 3 files changed, 25 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 8b182475d3..0dcfdfaa7c 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -36,6 +36,7 @@ Thanks, you're awesome :-) --> * Added support for `scaled_float`'s mandatory parameter `scaling_factor`. #1042 * Added ability for --oss flag to fall back `constant_keyword` to `keyword`. #1046 * Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050 +* Added support for `constant_keyword`'s optional parameter `value`. #1112 #### Improvements diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py index 13498cef9d..086d5246b9 100644 --- a/scripts/generators/es_template.py +++ b/scripts/generators/es_template.py @@ -57,6 +57,8 @@ def entry_for(field): if field['type'] == 'keyword': ecs_helpers.dict_copy_existing_keys(field, field_entry, ['ignore_above']) + elif field['type'] == 'constant_keyword': + ecs_helpers.dict_copy_existing_keys(field, field_entry, ['value']) elif field['type'] == 'text': ecs_helpers.dict_copy_existing_keys(field, field_entry, ['norms']) elif field['type'] == 'alias': diff --git a/scripts/tests/test_es_template.py b/scripts/tests/test_es_template.py index a1491d2241..43ee4d276f 100644 --- a/scripts/tests/test_es_template.py +++ b/scripts/tests/test_es_template.py @@ -135,6 +135,28 @@ def test_entry_for_scaled_float(self): } self.assertEqual(es_template.entry_for(test_map), exp) + def test_constant_keyword_with_value(self): + test_map = { + 'name': 'field_with_value', + 'type': 'constant_keyword', + 'value': 'foo' + } + + exp = { + 'type': 'constant_keyword', + 'value': 'foo' + } + self.assertEqual(es_template.entry_for(test_map), exp) + + def test_constant_keyword_no_value(self): + test_map = { + 'name': 'field_without_value', + 'type': 'constant_keyword' + } + + exp = {'type': 'constant_keyword'} + self.assertEqual(es_template.entry_for(test_map), exp) + if __name__ == '__main__': unittest.main() From 35a9ccab4ea6677a6d588f41bf00ed10b3b28ca7 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 18 Nov 2020 13:58:37 -0600 Subject: [PATCH 46/90] [1.x] Beta label support (#1051) (#1133) Co-authored-by: Mathieu Martin --- CHANGELOG.next.md | 1 + schemas/README.md | 15 ++++++++++++++ scripts/generators/asciidoc_fields.py | 3 ++- scripts/generators/ecs_helpers.py | 4 ++-- scripts/schema/cleaner.py | 14 +++++++++++++ scripts/schema/finalizer.py | 3 +++ scripts/templates/field_details.j2 | 22 +++++++++++++++++++++ scripts/tests/unit/test_schema_finalizer.py | 4 ++-- 8 files changed, 61 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 0dcfdfaa7c..f87d61f45f 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -36,6 +36,7 @@ Thanks, you're awesome :-) --> * Added support for `scaled_float`'s mandatory parameter `scaling_factor`. #1042 * Added ability for --oss flag to fall back `constant_keyword` to `keyword`. #1046 * Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050 +* Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051 * Added support for `constant_keyword`'s optional parameter `value`. #1112 #### Improvements diff --git a/schemas/README.md b/schemas/README.md index 39b18f4bd7..2c14737c4a 100644 --- a/schemas/README.md +++ b/schemas/README.md @@ -32,6 +32,8 @@ Optional field set attributes: - type (ignored): at this level, should always be `group` - reusable (optional): Used to identify which field sets are expected to be reused in multiple places. See "Field set reuse" for details. +- beta: Adds a beta marker for the entire fieldset. The text provided in this attribute is used as content of the beta marker in the documentation. + Beta notices should not have newlines. ### Field set reuse @@ -104,6 +106,18 @@ The above defines all process fields in both places: } ``` +The `beta` marker can optionally be used along with `at` and `as` to include a beta marker in the field reuses section, marking specific reuse locations as beta. +Beta notices should not have newlines. + +``` + reusable: + top_level: true + expected: + - at: user + as: target + beta: Reusing these fields in this location is currently considered beta. +``` + ### List of fields Array of YAML objects: @@ -134,6 +148,7 @@ Supported keys to describe fields - format: Field format that can be used in a Kibana index template. - normalize: Normalization steps that should be applied at ingestion time. Supported values: - array: the content of the field should be an array (even when there's only one value). +- beta (optional): Adds a beta marker for the field to the description. The text provided in this attribute is used as content of the beta marker in the documentation. Note that when a whole field set is marked as beta, it is not necessary nor recommended to mark all fields in the field set as beta. Beta notices should not have newlines. Supported keys to describe expected values for a field diff --git a/scripts/generators/asciidoc_fields.py b/scripts/generators/asciidoc_fields.py index e5e2262bd0..04fd1fcacf 100644 --- a/scripts/generators/asciidoc_fields.py +++ b/scripts/generators/asciidoc_fields.py @@ -39,7 +39,8 @@ def render_nestings_reuse_section(fieldset): rows.append({ 'flat_nesting': "{}.*".format(reused_here_entry['full']), 'name': reused_here_entry['schema_name'], - 'short': reused_here_entry['short'] + 'short': reused_here_entry['short'], + 'beta': reused_here_entry.get('beta', '') }) return sorted(rows, key=lambda x: x['flat_nesting']) diff --git a/scripts/generators/ecs_helpers.py b/scripts/generators/ecs_helpers.py index 801319854c..086f4d592d 100644 --- a/scripts/generators/ecs_helpers.py +++ b/scripts/generators/ecs_helpers.py @@ -189,5 +189,5 @@ def strict_warning(msg): :param msg: custom text which will be displayed with wrapped boilerplate for strict warning messages. """ - warn_message = f"{msg}\n\nThis will cause an exception when running in strict mode." - warnings.warn(warn_message) + warn_message = f"{msg}\n\nThis will cause an exception when running in strict mode.\nWarning check:" + warnings.warn(warn_message, stacklevel=3) diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py index 185d0abedc..83f2d15933 100644 --- a/scripts/schema/cleaner.py +++ b/scripts/schema/cleaner.py @@ -76,6 +76,8 @@ def schema_mandatory_attributes(schema): def schema_assertions_and_warnings(schema): '''Additional checks on a fleshed out schema''' single_line_short_description(schema, strict=strict_mode) + if 'beta' in schema['field_details']: + single_line_beta_description(schema, strict=strict_mode) def normalize_reuse_notation(schema): @@ -181,6 +183,8 @@ def field_assertions_and_warnings(field): # check short description length if in strict mode single_line_short_description(field, strict=strict_mode) check_example_value(field, strict=strict_mode) + if 'beta' in field['field_details']: + single_line_beta_description(field, strict=strict_mode) if field['field_details']['level'] not in ACCEPTABLE_FIELD_LEVELS: msg = "Invalid level for field '{}'.\nValue: {}\nAcceptable values: {}".format( field['field_details']['name'], field['field_details']['level'], @@ -220,3 +224,13 @@ def check_example_value(field, strict=True): raise ValueError(msg) else: ecs_helpers.strict_warning(msg) + + +def single_line_beta_description(schema_or_field, strict=True): + if "\n" in schema_or_field['field_details']['beta']: + msg = "Beta descriptions must be single line.\n" + msg += f"Offending field or field set: {schema_or_field['field_details']['name']}" + if strict: + raise ValueError(msg) + else: + ecs_helpers.strict_warning(msg) diff --git a/scripts/schema/finalizer.py b/scripts/schema/finalizer.py index 3d1c7202b2..d1b4928507 100644 --- a/scripts/schema/finalizer.py +++ b/scripts/schema/finalizer.py @@ -128,6 +128,9 @@ def append_reused_here(reused_schema, reuse_entry, destination_schema): 'full': reuse_entry['full'], 'short': reused_schema['field_details']['short'], } + # Check for beta attribute + if 'beta' in reuse_entry: + reused_here_entry['beta'] = reuse_entry['beta'] destination_schema['schema_details']['reused_here'].extend([reused_here_entry]) diff --git a/scripts/templates/field_details.j2 b/scripts/templates/field_details.j2 index 3eef363fa8..643c2ccf5d 100644 --- a/scripts/templates/field_details.j2 +++ b/scripts/templates/field_details.j2 @@ -10,6 +10,13 @@ Find additional usage and examples in the {{ fieldset['name'] }} fields <> +{#- Beta marker on nested fields -#} +{%- if entry['beta'] -%} +| beta:[ {{ entry['beta'] }}] + +{{ entry['short'] }} +{%- else %} | {{ entry['short'] }} +{%- endif %} // =============================================================== diff --git a/scripts/tests/unit/test_schema_finalizer.py b/scripts/tests/unit/test_schema_finalizer.py index 8a193a0454..cea5c01e6d 100644 --- a/scripts/tests/unit/test_schema_finalizer.py +++ b/scripts/tests/unit/test_schema_finalizer.py @@ -92,7 +92,7 @@ def schema_user(self): 'order': 2, 'expected': [ {'full': 'server.user', 'at': 'server', 'as': 'user'}, - {'full': 'user.target', 'at': 'user', 'as': 'target'}, + {'full': 'user.target', 'at': 'user', 'as': 'target', 'beta': 'Some beta notice'}, {'full': 'user.effective', 'at': 'user', 'as': 'effective'}, ] } @@ -211,7 +211,7 @@ def test_perform_reuse_with_foreign_reuse_and_self_reuse(self): fields['process']['schema_details']['reused_here']) self.assertIn({'full': 'user.effective', 'schema_name': 'user', 'short': 'short desc'}, fields['user']['schema_details']['reused_here']) - self.assertIn({'full': 'user.target', 'schema_name': 'user', 'short': 'short desc'}, + self.assertIn({'full': 'user.target', 'schema_name': 'user', 'short': 'short desc', 'beta': 'Some beta notice'}, fields['user']['schema_details']['reused_here']) self.assertIn({'full': 'server.user', 'schema_name': 'user', 'short': 'short desc'}, fields['server']['schema_details']['reused_here']) From 2026cd98fff22ddc779c72150c6c4f02dbbd34fd Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 19 Nov 2020 12:54:38 -0500 Subject: [PATCH 47/90] [1.x] Backport #1134 and #1135 (#1136) * Remove temporary ifeval in "getting started" page, add link to Metrics docs (#1134) * Remove temporary ifeval from products page, add link to Metrics (#1135) --- docs/products-solutions.asciidoc | 6 +----- docs/using-getting-started.asciidoc | 6 +----- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/docs/products-solutions.asciidoc b/docs/products-solutions.asciidoc index 945653779f..33b03ab7d2 100644 --- a/docs/products-solutions.asciidoc +++ b/docs/products-solutions.asciidoc @@ -9,14 +9,10 @@ The following Elastic products support ECS out of the box, as of version 7.0: ** {security-guide}/siem-field-reference.html[Elastic Security Field Reference] - a list of ECS fields used in the SIEM app * https://www.elastic.co/products/endpoint-security[Elastic Endpoint Security Server] -ifeval::["{branch}"=="7.9"] -* {logs-guide}/logs-app-overview.html[Log Monitoring] -endif::[] -ifeval::["{branch}"!="7.9"] * {observability-guide}/monitor-logs.html[Log Monitoring] -endif::[] * Log formatters that support ECS out of the box for various languages can be found https://github.com/elastic/ecs-logging/blob/master/README.md[here]. +* {observability-guide}/analyze-metrics.html[Metrics Monitoring] // TODO Insert community & partner solutions here diff --git a/docs/using-getting-started.asciidoc b/docs/using-getting-started.asciidoc index c81521a783..ff19f84840 100644 --- a/docs/using-getting-started.asciidoc +++ b/docs/using-getting-started.asciidoc @@ -285,10 +285,6 @@ Here are some examples of additional fields processed by metadata or parser proc We've covered at a high level how to map your events to ECS. Now if you'd like your events to render well in the Elastic solutions, check out the reference guides below to learn more about each: -ifeval::["{branch}"=="7.9"] -* {logs-guide}/logs-fields-reference.html[Log Monitoring Field Reference] -endif::[] -ifeval::["{branch}"!="7.9"] * {observability-guide}/logs-app-fields.html[Log Monitoring Field Reference] -endif::[] +* {observability-guide}/metrics-app-fields.html[Metrics Monitoring Field Reference] * {security-guide}/siem-field-reference.html[Elastic Security Field Reference] From 12e8827c60972a03c8e599b49d23024417a00fc6 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 25 Nov 2020 11:07:14 -0500 Subject: [PATCH 48/90] Two small documentation backports (#1149) * Remove an incorrect `event.type` from the 'converting' page (#1146) * Mention Logstash support for ECS in the 'products' page (#1147) --- docs/converting.asciidoc | 6 ++++-- docs/products-solutions.asciidoc | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/converting.asciidoc b/docs/converting.asciidoc index b4edd76e1d..3a7fdfd72e 100644 --- a/docs/converting.asciidoc +++ b/docs/converting.asciidoc @@ -35,8 +35,10 @@ Here's the recommended approach for converting an existing implementation to {ec - Review your original event data again - Consider populating the field based on additional meta-data such as static - information (e.g. add `event.type:syslog` even if syslog events don't mention this fact), - or information gathered from the environment (e.g. host information). + information (e.g. add `event.category:authentication` even if your auth events + don't mention the word "authentication") + - Consider capturing additional environment meta-data, such as information about the + host, container or cloud instance. . Review other extended fields from any field set you are already using, and attempt to populate it as well. diff --git a/docs/products-solutions.asciidoc b/docs/products-solutions.asciidoc index 33b03ab7d2..277c8ca910 100644 --- a/docs/products-solutions.asciidoc +++ b/docs/products-solutions.asciidoc @@ -13,6 +13,7 @@ Server] * Log formatters that support ECS out of the box for various languages can be found https://github.com/elastic/ecs-logging/blob/master/README.md[here]. * {observability-guide}/analyze-metrics.html[Metrics Monitoring] +* {ls}' {es} output has an {logstash-ref}/plugins-outputs-elasticsearch.html#_compatibility_with_the_elastic_common_schema_ecs[ECS compatibility mode] // TODO Insert community & partner solutions here From cf28a279ca89a83151af7a6f0046a37a758072c2 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 25 Nov 2020 16:02:54 -0500 Subject: [PATCH 49/90] [1.x] Reinforce the exclusion of the leading dot from url.extension (#1151) (#1152) --- code/go/ecs/url.go | 5 ++++- docs/field-details.asciidoc | 4 +++- experimental/generated/beats/fields.ecs.yml | 7 +++++-- experimental/generated/csv/fields.csv | 2 +- experimental/generated/ecs/ecs_flat.yml | 10 +++++++--- experimental/generated/ecs/ecs_nested.yml | 9 ++++++--- generated/beats/fields.ecs.yml | 7 +++++-- generated/csv/fields.csv | 2 +- generated/ecs/ecs_flat.yml | 10 +++++++--- generated/ecs/ecs_nested.yml | 9 ++++++--- schemas/url.yml | 8 ++++++-- 11 files changed, 51 insertions(+), 22 deletions(-) diff --git a/code/go/ecs/url.go b/code/go/ecs/url.go index 6c1ac3be75..ec00f75914 100644 --- a/code/go/ecs/url.go +++ b/code/go/ecs/url.go @@ -87,11 +87,14 @@ type Url struct { // differentiate between the two cases. Query string `ecs:"query"` - // The field contains the file extension from the original request url. + // The field contains the file extension from the original request url, + // excluding the leading dot. // The file extension is only set if it exists, as not every url has a file // extension. // The leading period must not be included. For example, the value must be // "png", not ".png". + // Note that when the file name has multiple extensions (example.tar.gz), + // only the last one should be captured ("gz", not "tar.gz"). Extension string `ecs:"extension"` // Portion of the url after the `#`, such as "top". diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index ae14752657..0303cb6e5b 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -6247,12 +6247,14 @@ example: `www.elastic.co` // =============================================================== | url.extension -| The field contains the file extension from the original request url. +| The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". +Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index e148421e5a..15f8b78a38 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -5269,12 +5269,15 @@ type: keyword ignore_above: 1024 description: 'The field contains the file extension from the original request - url. + url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", - not ".png".' + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png - name: fragment level: extended diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 9e24de5181..2c83d5823d 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -631,7 +631,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. 1.8.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. 1.8.0-dev+exp,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. -1.8.0-dev+exp,true,url,url.extension,keyword,extended,,png,File extension from the original request url. +1.8.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." 1.8.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. 1.8.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. 1.8.0-dev+exp,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 5aefba80d3..12da870f3a 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -8037,19 +8037,23 @@ url.domain: type: wildcard url.extension: dashed_name: url-extension - description: 'The field contains the file extension from the original request url. + description: 'The field contains the file extension from the original request url, + excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", - not ".png".' + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' example: png flat_name: url.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension from the original request url. + short: File extension from the request url, excluding the leading dot. type: keyword url.fragment: dashed_name: url-fragment diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 977a5c2232..84f21b05b8 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -9302,19 +9302,22 @@ url: url.extension: dashed_name: url-extension description: 'The field contains the file extension from the original request - url. + url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", - not ".png".' + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png flat_name: url.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension from the original request url. + short: File extension from the request url, excluding the leading dot. type: keyword url.fragment: dashed_name: url-fragment diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 70ccffc264..d0f31c1f43 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5357,12 +5357,15 @@ type: keyword ignore_above: 1024 description: 'The field contains the file extension from the original request - url. + url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", - not ".png".' + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png - name: fragment level: extended diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 96637a3f4c..a8fc2c7e04 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -631,7 +631,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. 1.8.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. 1.8.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. -1.8.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url. +1.8.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." 1.8.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. 1.8.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. 1.8.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 78ef1eaec8..a4b7a0450b 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8121,19 +8121,23 @@ url.domain: type: keyword url.extension: dashed_name: url-extension - description: 'The field contains the file extension from the original request url. + description: 'The field contains the file extension from the original request url, + excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", - not ".png".' + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' example: png flat_name: url.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension from the original request url. + short: File extension from the request url, excluding the leading dot. type: keyword url.fragment: dashed_name: url-fragment diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 1352e844e5..72bea8756d 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -9391,19 +9391,22 @@ url: url.extension: dashed_name: url-extension description: 'The field contains the file extension from the original request - url. + url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", - not ".png".' + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' example: png flat_name: url.extension ignore_above: 1024 level: extended name: extension normalize: [] - short: File extension from the original request url. + short: File extension from the request url, excluding the leading dot. type: keyword url.fragment: dashed_name: url-fragment diff --git a/schemas/url.yml b/schemas/url.yml index 8a523fbc8d..0253f316e8 100644 --- a/schemas/url.yml +++ b/schemas/url.yml @@ -133,13 +133,17 @@ - name: extension level: extended type: keyword - short: File extension from the original request url. + short: File extension from the request url, excluding the leading dot. description: > - The field contains the file extension from the original request url. + The field contains the file extension from the original request url, + excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), + only the last one should be captured ("gz", not "tar.gz"). example: png - name: fragment From b7f63a750e0b41f463014fb8ccf51a3bea2ebd63 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 26 Nov 2020 09:24:15 -0500 Subject: [PATCH 50/90] [1.x] Make all fields linkable directly via an HTML ID (#1148) (#1154) --- docs/field-details.asciidoc | 2045 +++++++++++++++---- experimental/generated/ecs/ecs_flat.yml | 2 +- experimental/generated/ecs/ecs_nested.yml | 2 +- generated/ecs/ecs_flat.yml | 2 +- generated/ecs/ecs_nested.yml | 2 +- scripts/schema/finalizer.py | 2 +- scripts/templates/field_details.j2 | 5 +- scripts/tests/unit/test_schema_finalizer.py | 4 +- 8 files changed, 1647 insertions(+), 417 deletions(-) diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 0303cb6e5b..0d41f4462c 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -12,7 +12,10 @@ The `base` field set contains all fields which are at the root of the events. Th // =============================================================== -| @timestamp +| +[[field-timestamp]] +<> + | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. @@ -31,7 +34,10 @@ example: `2016-05-23T08:05:34.853Z` // =============================================================== -| labels +| +[[field-labels]] +<> + | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. @@ -48,7 +54,10 @@ example: `{"application": "foo-bar", "env": "production"}` // =============================================================== -| message +| +[[field-message]] +<> + | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. @@ -65,7 +74,10 @@ example: `Hello World` // =============================================================== -| tags +| +[[field-tags]] +<> + | List of keywords used to tag each event. type: keyword @@ -99,7 +111,10 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha // =============================================================== -| agent.build.original +| +[[field-agent-build-original]] +<> + | Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. @@ -114,7 +129,10 @@ example: `metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344 // =============================================================== -| agent.ephemeral_id +| +[[field-agent-ephemeral-id]] +<> + | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. @@ -129,7 +147,10 @@ example: `8a4f500f` // =============================================================== -| agent.id +| +[[field-agent-id]] +<> + | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. @@ -144,7 +165,10 @@ example: `8a4f500d` // =============================================================== -| agent.name +| +[[field-agent-name]] +<> + | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. @@ -161,7 +185,10 @@ example: `foo` // =============================================================== -| agent.type +| +[[field-agent-type]] +<> + | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. @@ -176,7 +203,10 @@ example: `filebeat` // =============================================================== -| agent.version +| +[[field-agent-version]] +<> + | Version of the agent. type: keyword @@ -205,7 +235,10 @@ An autonomous system (AS) is a collection of connected Internet Protocol (IP) ro // =============================================================== -| as.number +| +[[field-as-number]] +<> + | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. type: long @@ -218,7 +251,10 @@ example: `15169` // =============================================================== -| as.organization.name +| +[[field-as-organization-name]] +<> + | Organization name. type: keyword @@ -267,7 +303,10 @@ Client / server representations can add semantic context to an exchange, which i // =============================================================== -| client.address +| +[[field-client-address]] +<> + | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -282,7 +321,10 @@ type: keyword // =============================================================== -| client.bytes +| +[[field-client-bytes]] +<> + | Bytes sent from the client to the server. type: long @@ -295,7 +337,10 @@ example: `184` // =============================================================== -| client.domain +| +[[field-client-domain]] +<> + | Client domain. type: keyword @@ -308,7 +353,10 @@ type: keyword // =============================================================== -| client.ip +| +[[field-client-ip]] +<> + | IP address of the client (IPv4 or IPv6). type: ip @@ -321,7 +369,10 @@ type: ip // =============================================================== -| client.mac +| +[[field-client-mac]] +<> + | MAC address of the client. type: keyword @@ -334,7 +385,10 @@ type: keyword // =============================================================== -| client.nat.ip +| +[[field-client-nat-ip]] +<> + | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. @@ -349,7 +403,10 @@ type: ip // =============================================================== -| client.nat.port +| +[[field-client-nat-port]] +<> + | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. @@ -364,7 +421,10 @@ type: long // =============================================================== -| client.packets +| +[[field-client-packets]] +<> + | Packets sent from the client to the server. type: long @@ -377,7 +437,10 @@ example: `12` // =============================================================== -| client.port +| +[[field-client-port]] +<> + | Port of the client. type: long @@ -390,7 +453,10 @@ type: long // =============================================================== -| client.registered_domain +| +[[field-client-registered-domain]] +<> + | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -407,7 +473,10 @@ example: `example.com` // =============================================================== -| client.subdomain +| +[[field-client-subdomain]] +<> + | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. @@ -422,7 +491,10 @@ example: `east` // =============================================================== -| client.top_level_domain +| +[[field-client-top-level-domain]] +<> + | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". @@ -490,7 +562,10 @@ Fields related to the cloud or infrastructure the events are coming from. // =============================================================== -| cloud.account.id +| +[[field-cloud-account-id]] +<> + | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. @@ -505,7 +580,10 @@ example: `666777888999` // =============================================================== -| cloud.account.name +| +[[field-cloud-account-name]] +<> + | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. @@ -520,7 +598,10 @@ example: `elastic-dev` // =============================================================== -| cloud.availability_zone +| +[[field-cloud-availability-zone]] +<> + | Availability zone in which this host is running. type: keyword @@ -533,7 +614,10 @@ example: `us-east-1c` // =============================================================== -| cloud.instance.id +| +[[field-cloud-instance-id]] +<> + | Instance ID of the host machine. type: keyword @@ -546,7 +630,10 @@ example: `i-1234567890abcdef0` // =============================================================== -| cloud.instance.name +| +[[field-cloud-instance-name]] +<> + | Instance name of the host machine. type: keyword @@ -559,7 +646,10 @@ type: keyword // =============================================================== -| cloud.machine.type +| +[[field-cloud-machine-type]] +<> + | Machine type of the host machine. type: keyword @@ -572,7 +662,10 @@ example: `t2.medium` // =============================================================== -| cloud.project.id +| +[[field-cloud-project-id]] +<> + | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. @@ -587,7 +680,10 @@ example: `my-project` // =============================================================== -| cloud.project.name +| +[[field-cloud-project-name]] +<> + | The cloud project name. Examples: Google Cloud Project name, Azure Project name. @@ -602,7 +698,10 @@ example: `my project` // =============================================================== -| cloud.provider +| +[[field-cloud-provider]] +<> + | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. type: keyword @@ -615,7 +714,10 @@ example: `aws` // =============================================================== -| cloud.region +| +[[field-cloud-region]] +<> + | Region in which this host is running. type: keyword @@ -644,7 +746,10 @@ These fields contain information about binary code signatures. // =============================================================== -| code_signature.exists +| +[[field-code-signature-exists]] +<> + | Boolean to capture if a signature is present. type: boolean @@ -657,7 +762,10 @@ example: `true` // =============================================================== -| code_signature.status +| +[[field-code-signature-status]] +<> + | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. @@ -672,7 +780,10 @@ example: `ERROR_UNTRUSTED_ROOT` // =============================================================== -| code_signature.subject_name +| +[[field-code-signature-subject-name]] +<> + | Subject name of the code signer type: keyword @@ -685,7 +796,10 @@ example: `Microsoft Corporation` // =============================================================== -| code_signature.trusted +| +[[field-code-signature-trusted]] +<> + | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. @@ -700,7 +814,10 @@ example: `true` // =============================================================== -| code_signature.valid +| +[[field-code-signature-valid]] +<> + | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. @@ -743,7 +860,10 @@ These fields help correlate data based containers from any runtime. // =============================================================== -| container.id +| +[[field-container-id]] +<> + | Unique container id. type: keyword @@ -756,7 +876,10 @@ type: keyword // =============================================================== -| container.image.name +| +[[field-container-image-name]] +<> + | Name of the image the container was built on. type: keyword @@ -769,7 +892,10 @@ type: keyword // =============================================================== -| container.image.tag +| +[[field-container-image-tag]] +<> + | Container image tags. type: keyword @@ -785,7 +911,10 @@ Note: this field should contain an array of values. // =============================================================== -| container.labels +| +[[field-container-labels]] +<> + | Image labels. type: object @@ -798,7 +927,10 @@ type: object // =============================================================== -| container.name +| +[[field-container-name]] +<> + | Container name. type: keyword @@ -811,7 +943,10 @@ type: keyword // =============================================================== -| container.runtime +| +[[field-container-runtime]] +<> + | Runtime managing this container. type: keyword @@ -842,7 +977,10 @@ Destination fields are usually populated in conjunction with source fields. The // =============================================================== -| destination.address +| +[[field-destination-address]] +<> + | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -857,7 +995,10 @@ type: keyword // =============================================================== -| destination.bytes +| +[[field-destination-bytes]] +<> + | Bytes sent from the destination to the source. type: long @@ -870,7 +1011,10 @@ example: `184` // =============================================================== -| destination.domain +| +[[field-destination-domain]] +<> + | Destination domain. type: keyword @@ -883,7 +1027,10 @@ type: keyword // =============================================================== -| destination.ip +| +[[field-destination-ip]] +<> + | IP address of the destination (IPv4 or IPv6). type: ip @@ -896,7 +1043,10 @@ type: ip // =============================================================== -| destination.mac +| +[[field-destination-mac]] +<> + | MAC address of the destination. type: keyword @@ -909,7 +1059,10 @@ type: keyword // =============================================================== -| destination.nat.ip +| +[[field-destination-nat-ip]] +<> + | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. @@ -924,7 +1077,10 @@ type: ip // =============================================================== -| destination.nat.port +| +[[field-destination-nat-port]] +<> + | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. @@ -939,7 +1095,10 @@ type: long // =============================================================== -| destination.packets +| +[[field-destination-packets]] +<> + | Packets sent from the destination to the source. type: long @@ -952,7 +1111,10 @@ example: `12` // =============================================================== -| destination.port +| +[[field-destination-port]] +<> + | Port of the destination. type: long @@ -965,7 +1127,10 @@ type: long // =============================================================== -| destination.registered_domain +| +[[field-destination-registered-domain]] +<> + | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -982,7 +1147,10 @@ example: `example.com` // =============================================================== -| destination.subdomain +| +[[field-destination-subdomain]] +<> + | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. @@ -997,7 +1165,10 @@ example: `east` // =============================================================== -| destination.top_level_domain +| +[[field-destination-top-level-domain]] +<> + | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". @@ -1075,7 +1246,10 @@ Many operating systems refer to "shared code libraries" with different names, bu // =============================================================== -| dll.name +| +[[field-dll-name]] +<> + | Name of the library. This generally maps to the name of the file on disk. @@ -1090,7 +1264,10 @@ example: `kernel32.dll` // =============================================================== -| dll.path +| +[[field-dll-path]] +<> + | Full file path of the library. type: keyword @@ -1158,7 +1335,10 @@ DNS events should either represent a single DNS query prior to getting answers ( // =============================================================== -| dns.answers +| +[[field-dns-answers]] +<> + | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. @@ -1178,7 +1358,10 @@ Note: this field should contain an array of values. // =============================================================== -| dns.answers.class +| +[[field-dns-answers-class]] +<> + | The class of DNS data contained in this resource record. type: keyword @@ -1191,7 +1374,10 @@ example: `IN` // =============================================================== -| dns.answers.data +| +[[field-dns-answers-data]] +<> + | The data describing the resource. The meaning of this data depends on the type and class of the resource record. @@ -1206,7 +1392,10 @@ example: `10.10.10.10` // =============================================================== -| dns.answers.name +| +[[field-dns-answers-name]] +<> + | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. @@ -1221,7 +1410,10 @@ example: `www.example.com` // =============================================================== -| dns.answers.ttl +| +[[field-dns-answers-ttl]] +<> + | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. type: long @@ -1234,7 +1426,10 @@ example: `180` // =============================================================== -| dns.answers.type +| +[[field-dns-answers-type]] +<> + | The type of data contained in this resource record. type: keyword @@ -1247,7 +1442,10 @@ example: `CNAME` // =============================================================== -| dns.header_flags +| +[[field-dns-header-flags]] +<> + | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. @@ -1265,7 +1463,10 @@ example: `["RD", "RA"]` // =============================================================== -| dns.id +| +[[field-dns-id]] +<> + | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. type: keyword @@ -1278,7 +1479,10 @@ example: `62111` // =============================================================== -| dns.op_code +| +[[field-dns-op-code]] +<> + | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. type: keyword @@ -1291,7 +1495,10 @@ example: `QUERY` // =============================================================== -| dns.question.class +| +[[field-dns-question-class]] +<> + | The class of records being queried. type: keyword @@ -1304,7 +1511,10 @@ example: `IN` // =============================================================== -| dns.question.name +| +[[field-dns-question-name]] +<> + | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. @@ -1319,7 +1529,10 @@ example: `www.example.com` // =============================================================== -| dns.question.registered_domain +| +[[field-dns-question-registered-domain]] +<> + | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -1336,7 +1549,10 @@ example: `example.com` // =============================================================== -| dns.question.subdomain +| +[[field-dns-question-subdomain]] +<> + | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. @@ -1351,7 +1567,10 @@ example: `www` // =============================================================== -| dns.question.top_level_domain +| +[[field-dns-question-top-level-domain]] +<> + | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". @@ -1366,7 +1585,10 @@ example: `co.uk` // =============================================================== -| dns.question.type +| +[[field-dns-question-type]] +<> + | The type of record being queried. type: keyword @@ -1379,7 +1601,10 @@ example: `AAAA` // =============================================================== -| dns.resolved_ip +| +[[field-dns-resolved-ip]] +<> + | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. @@ -1397,7 +1622,10 @@ example: `["10.10.10.10", "10.10.10.11"]` // =============================================================== -| dns.response_code +| +[[field-dns-response-code]] +<> + | The DNS response code. type: keyword @@ -1410,7 +1638,10 @@ example: `NOERROR` // =============================================================== -| dns.type +| +[[field-dns-type]] +<> + | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. @@ -1443,7 +1674,10 @@ Meta-information specific to ECS. // =============================================================== -| ecs.version +| +[[field-ecs-version]] +<> + | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. @@ -1476,7 +1710,10 @@ Use them for errors that happen while fetching events or in cases where the even // =============================================================== -| error.code +| +[[field-error-code]] +<> + | Error code describing the error. type: keyword @@ -1489,7 +1726,10 @@ type: keyword // =============================================================== -| error.id +| +[[field-error-id]] +<> + | Unique identifier for the error. type: keyword @@ -1502,7 +1742,10 @@ type: keyword // =============================================================== -| error.message +| +[[field-error-message]] +<> + | Error message. type: text @@ -1515,7 +1758,10 @@ type: text // =============================================================== -| error.stack_trace +| +[[field-error-stack-trace]] +<> + | The stack trace of this error in plain text. type: keyword @@ -1534,7 +1780,10 @@ Multi-fields: // =============================================================== -| error.type +| +[[field-error-type]] +<> + | The type of the error, for example the class name of the exception. type: keyword @@ -1565,7 +1814,10 @@ A log is defined as an event containing details of something that happened. Log // =============================================================== -| event.action +| +[[field-event-action]] +<> + | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. @@ -1580,7 +1832,10 @@ example: `user-password-change` // =============================================================== -| event.category +| +[[field-event-category]] +<> + | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. @@ -1607,7 +1862,10 @@ To learn more about when to use which value, visit the page // =============================================================== -| event.code +| +[[field-event-code]] +<> + | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. @@ -1622,7 +1880,10 @@ example: `4648` // =============================================================== -| event.created +| +[[field-event-created]] +<> + | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. @@ -1641,7 +1902,10 @@ example: `2016-05-23T08:05:34.857Z` // =============================================================== -| event.dataset +| +[[field-event-dataset]] +<> + | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. @@ -1658,7 +1922,10 @@ example: `apache.access` // =============================================================== -| event.duration +| +[[field-event-duration]] +<> + | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. @@ -1673,7 +1940,10 @@ type: long // =============================================================== -| event.end +| +[[field-event-end]] +<> + | event.end contains the date when the event ended or when the activity was last observed. type: date @@ -1686,7 +1956,10 @@ type: date // =============================================================== -| event.hash +| +[[field-event-hash]] +<> + | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. type: keyword @@ -1699,7 +1972,10 @@ example: `123456789012345678901234567890ABCD` // =============================================================== -| event.id +| +[[field-event-id]] +<> + | Unique ID to describe the event. type: keyword @@ -1712,7 +1988,10 @@ example: `8a4f500d` // =============================================================== -| event.ingested +| +[[field-event-ingested]] +<> + | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. @@ -1729,7 +2008,10 @@ example: `2016-05-23T08:05:35.101Z` // =============================================================== -| event.kind +| +[[field-event-kind]] +<> + | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. @@ -1753,7 +2035,10 @@ To learn more about when to use which value, visit the page // =============================================================== -| event.module +| +[[field-event-module]] +<> + | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. @@ -1768,7 +2053,10 @@ example: `apache` // =============================================================== -| event.original +| +[[field-event-original]] +<> + | Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. @@ -1783,7 +2071,10 @@ example: `Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0& // =============================================================== -| event.outcome +| +[[field-event-outcome]] +<> + | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. @@ -1811,7 +2102,10 @@ To learn more about when to use which value, visit the page // =============================================================== -| event.provider +| +[[field-event-provider]] +<> + | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). @@ -1826,7 +2120,10 @@ example: `kernel` // =============================================================== -| event.reason +| +[[field-event-reason]] +<> + | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). @@ -1841,7 +2138,10 @@ example: `Terminated an unexpected process` // =============================================================== -| event.reference +| +[[field-event-reference]] +<> + | Reference URL linking to additional information about this event. This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. @@ -1856,7 +2156,10 @@ example: `https://system.example.com/event/#0001234` // =============================================================== -| event.risk_score +| +[[field-event-risk-score]] +<> + | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. type: float @@ -1869,7 +2172,10 @@ type: float // =============================================================== -| event.risk_score_norm +| +[[field-event-risk-score-norm]] +<> + | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. @@ -1884,7 +2190,10 @@ type: float // =============================================================== -| event.sequence +| +[[field-event-sequence]] +<> + | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. @@ -1899,7 +2208,10 @@ type: long // =============================================================== -| event.severity +| +[[field-event-severity]] +<> + | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. @@ -1916,7 +2228,10 @@ example: `7` // =============================================================== -| event.start +| +[[field-event-start]] +<> + | event.start contains the date when the event started or when the activity was first observed. type: date @@ -1929,7 +2244,10 @@ type: date // =============================================================== -| event.timezone +| +[[field-event-timezone]] +<> + | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). @@ -1944,7 +2262,10 @@ type: keyword // =============================================================== -| event.type +| +[[field-event-type]] +<> + | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. @@ -1971,7 +2292,10 @@ To learn more about when to use which value, visit the page // =============================================================== -| event.url +| +[[field-event-url]] +<> + | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. @@ -2004,7 +2328,10 @@ File objects can be associated with host events, network events, and/or file eve // =============================================================== -| file.accessed +| +[[field-file-accessed]] +<> + | Last time the file was accessed. Note that not all filesystems keep track of access time. @@ -2019,7 +2346,10 @@ type: date // =============================================================== -| file.attributes +| +[[field-file-attributes]] +<> + | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. @@ -2037,7 +2367,10 @@ example: `["readonly", "system"]` // =============================================================== -| file.created +| +[[field-file-created]] +<> + | File creation time. Note that not all filesystems store the creation time. @@ -2052,7 +2385,10 @@ type: date // =============================================================== -| file.ctime +| +[[field-file-ctime]] +<> + | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. @@ -2067,7 +2403,10 @@ type: date // =============================================================== -| file.device +| +[[field-file-device]] +<> + | Device that is the source of the file. type: keyword @@ -2080,7 +2419,10 @@ example: `sda` // =============================================================== -| file.directory +| +[[field-file-directory]] +<> + | Directory where the file is located. It should include the drive letter, when appropriate. type: keyword @@ -2093,7 +2435,10 @@ example: `/home/alice` // =============================================================== -| file.drive_letter +| +[[field-file-drive-letter]] +<> + | Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon. @@ -2108,7 +2453,10 @@ example: `C` // =============================================================== -| file.extension +| +[[field-file-extension]] +<> + | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). @@ -2123,7 +2471,10 @@ example: `png` // =============================================================== -| file.gid +| +[[field-file-gid]] +<> + | Primary group ID (GID) of the file. type: keyword @@ -2136,7 +2487,10 @@ example: `1001` // =============================================================== -| file.group +| +[[field-file-group]] +<> + | Primary group name of the file. type: keyword @@ -2149,7 +2503,10 @@ example: `alice` // =============================================================== -| file.inode +| +[[field-file-inode]] +<> + | Inode representing the file in the filesystem. type: keyword @@ -2162,7 +2519,10 @@ example: `256383` // =============================================================== -| file.mime_type +| +[[field-file-mime-type]] +<> + | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword @@ -2175,7 +2535,10 @@ type: keyword // =============================================================== -| file.mode +| +[[field-file-mode]] +<> + | Mode of the file in octal representation. type: keyword @@ -2188,7 +2551,10 @@ example: `0640` // =============================================================== -| file.mtime +| +[[field-file-mtime]] +<> + | Last time the file content was modified. type: date @@ -2201,7 +2567,10 @@ type: date // =============================================================== -| file.name +| +[[field-file-name]] +<> + | Name of the file including the extension, without the directory. type: keyword @@ -2214,7 +2583,10 @@ example: `example.png` // =============================================================== -| file.owner +| +[[field-file-owner]] +<> + | File owner's username. type: keyword @@ -2227,7 +2599,10 @@ example: `alice` // =============================================================== -| file.path +| +[[field-file-path]] +<> + | Full path to the file, including the file name. It should include the drive letter, when appropriate. type: keyword @@ -2246,7 +2621,10 @@ example: `/home/alice/example.png` // =============================================================== -| file.size +| +[[field-file-size]] +<> + | File size in bytes. Only relevant when `file.type` is "file". @@ -2261,7 +2639,10 @@ example: `16384` // =============================================================== -| file.target_path +| +[[field-file-target-path]] +<> + | Target path for symlinks. type: keyword @@ -2280,7 +2661,10 @@ Multi-fields: // =============================================================== -| file.type +| +[[field-file-type]] +<> + | File type (file, dir, or symlink). type: keyword @@ -2293,7 +2677,10 @@ example: `file` // =============================================================== -| file.uid +| +[[field-file-uid]] +<> + | The user ID (UID) or security identifier (SID) of the file owner. type: keyword @@ -2367,7 +2754,10 @@ This geolocation information can be derived from techniques such as Geo IP, or b // =============================================================== -| geo.city_name +| +[[field-geo-city-name]] +<> + | City name. type: keyword @@ -2380,7 +2770,10 @@ example: `Montreal` // =============================================================== -| geo.continent_name +| +[[field-geo-continent-name]] +<> + | Name of the continent. type: keyword @@ -2393,7 +2786,10 @@ example: `North America` // =============================================================== -| geo.country_iso_code +| +[[field-geo-country-iso-code]] +<> + | Country ISO code. type: keyword @@ -2406,7 +2802,10 @@ example: `CA` // =============================================================== -| geo.country_name +| +[[field-geo-country-name]] +<> + | Country name. type: keyword @@ -2419,7 +2818,10 @@ example: `Canada` // =============================================================== -| geo.location +| +[[field-geo-location]] +<> + | Longitude and latitude. type: geo_point @@ -2432,7 +2834,10 @@ example: `{ "lon": -73.614830, "lat": 45.505918 }` // =============================================================== -| geo.name +| +[[field-geo-name]] +<> + | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. @@ -2449,7 +2854,10 @@ example: `boston-dc` // =============================================================== -| geo.region_iso_code +| +[[field-geo-region-iso-code]] +<> + | Region ISO code. type: keyword @@ -2462,7 +2870,10 @@ example: `CA-QC` // =============================================================== -| geo.region_name +| +[[field-geo-region-name]] +<> + | Region name. type: keyword @@ -2501,7 +2912,10 @@ The group fields are meant to represent groups that are relevant to the event. // =============================================================== -| group.domain +| +[[field-group-domain]] +<> + | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. @@ -2516,7 +2930,10 @@ type: keyword // =============================================================== -| group.id +| +[[field-group-id]] +<> + | Unique identifier for the group on the system/platform. type: keyword @@ -2529,7 +2946,10 @@ type: keyword // =============================================================== -| group.name +| +[[field-group-name]] +<> + | Name of the group. type: keyword @@ -2570,7 +2990,10 @@ Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for ot // =============================================================== -| hash.md5 +| +[[field-hash-md5]] +<> + | MD5 hash. type: keyword @@ -2583,7 +3006,10 @@ type: keyword // =============================================================== -| hash.sha1 +| +[[field-hash-sha1]] +<> + | SHA1 hash. type: keyword @@ -2596,7 +3022,10 @@ type: keyword // =============================================================== -| hash.sha256 +| +[[field-hash-sha256]] +<> + | SHA256 hash. type: keyword @@ -2609,7 +3038,10 @@ type: keyword // =============================================================== -| hash.sha512 +| +[[field-hash-sha512]] +<> + | SHA512 hash. type: keyword @@ -2650,7 +3082,10 @@ ECS host.* fields should be populated with details about the host on which the e // =============================================================== -| host.architecture +| +[[field-host-architecture]] +<> + | Operating system architecture. type: keyword @@ -2663,7 +3098,10 @@ example: `x86_64` // =============================================================== -| host.domain +| +[[field-host-domain]] +<> + | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. @@ -2678,7 +3116,10 @@ example: `CONTOSO` // =============================================================== -| host.hostname +| +[[field-host-hostname]] +<> + | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. @@ -2693,7 +3134,10 @@ type: keyword // =============================================================== -| host.id +| +[[field-host-id]] +<> + | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. @@ -2710,7 +3154,10 @@ type: keyword // =============================================================== -| host.ip +| +[[field-host-ip]] +<> + | Host ip addresses. type: ip @@ -2726,7 +3173,10 @@ Note: this field should contain an array of values. // =============================================================== -| host.mac +| +[[field-host-mac]] +<> + | Host mac addresses. type: keyword @@ -2742,7 +3192,10 @@ Note: this field should contain an array of values. // =============================================================== -| host.name +| +[[field-host-name]] +<> + | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. @@ -2757,7 +3210,10 @@ type: keyword // =============================================================== -| host.type +| +[[field-host-type]] +<> + | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. @@ -2772,7 +3228,10 @@ type: keyword // =============================================================== -| host.uptime +| +[[field-host-uptime]] +<> + | Seconds the host has been up. type: long @@ -2838,7 +3297,10 @@ Fields related to HTTP activity. Use the `url` field set to store the url of the // =============================================================== -| http.request.body.bytes +| +[[field-http-request-body-bytes]] +<> + | Size in bytes of the request body. type: long @@ -2851,7 +3313,10 @@ example: `887` // =============================================================== -| http.request.body.content +| +[[field-http-request-body-content]] +<> + | The full HTTP request body. type: keyword @@ -2870,7 +3335,10 @@ example: `Hello world` // =============================================================== -| http.request.bytes +| +[[field-http-request-bytes]] +<> + | Total size in bytes of the request (body and headers). type: long @@ -2883,7 +3351,10 @@ example: `1437` // =============================================================== -| http.request.method +| +[[field-http-request-method]] +<> + | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: @@ -2902,7 +3373,10 @@ example: `GET, POST, PUT, PoST` // =============================================================== -| http.request.mime_type +| +[[field-http-request-mime-type]] +<> + | Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. @@ -2917,7 +3391,10 @@ example: `image/gif` // =============================================================== -| http.request.referrer +| +[[field-http-request-referrer]] +<> + | Referrer for this HTTP request. type: keyword @@ -2930,7 +3407,10 @@ example: `https://blog.example.com/` // =============================================================== -| http.response.body.bytes +| +[[field-http-response-body-bytes]] +<> + | Size in bytes of the response body. type: long @@ -2943,7 +3423,10 @@ example: `887` // =============================================================== -| http.response.body.content +| +[[field-http-response-body-content]] +<> + | The full HTTP response body. type: keyword @@ -2962,7 +3445,10 @@ example: `Hello world` // =============================================================== -| http.response.bytes +| +[[field-http-response-bytes]] +<> + | Total size in bytes of the response (body and headers). type: long @@ -2975,7 +3461,10 @@ example: `1437` // =============================================================== -| http.response.mime_type +| +[[field-http-response-mime-type]] +<> + | Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. @@ -2990,7 +3479,10 @@ example: `image/gif` // =============================================================== -| http.response.status_code +| +[[field-http-response-status-code]] +<> + | HTTP response status code. type: long @@ -3003,7 +3495,10 @@ example: `404` // =============================================================== -| http.version +| +[[field-http-version]] +<> + | HTTP version. type: keyword @@ -3032,7 +3527,10 @@ The interface fields are used to record ingress and egress interface information // =============================================================== -| interface.alias +| +[[field-interface-alias]] +<> + | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. type: keyword @@ -3045,7 +3543,10 @@ example: `outside` // =============================================================== -| interface.id +| +[[field-interface-id]] +<> + | Interface ID as reported by an observer (typically SNMP interface ID). type: keyword @@ -3058,7 +3559,10 @@ example: `10` // =============================================================== -| interface.name +| +[[field-interface-name]] +<> + | Interface name as reported by the system. type: keyword @@ -3101,7 +3605,10 @@ The details specific to your event source are typically not logged under `log.*` // =============================================================== -| log.file.path +| +[[field-log-file-path]] +<> + | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. @@ -3116,7 +3623,10 @@ example: `/var/log/fun-times.log` // =============================================================== -| log.level +| +[[field-log-level]] +<> + | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). @@ -3133,7 +3643,10 @@ example: `error` // =============================================================== -| log.logger +| +[[field-log-logger]] +<> + | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. type: keyword @@ -3146,7 +3659,10 @@ example: `org.elasticsearch.bootstrap.Bootstrap` // =============================================================== -| log.origin.file.line +| +[[field-log-origin-file-line]] +<> + | The line number of the file containing the source code which originated the log event. type: integer @@ -3159,7 +3675,10 @@ example: `42` // =============================================================== -| log.origin.file.name +| +[[field-log-origin-file-name]] +<> + | The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. @@ -3174,7 +3693,10 @@ example: `Bootstrap.java` // =============================================================== -| log.origin.function +| +[[field-log-origin-function]] +<> + | The name of the function or method which originated the log event. type: keyword @@ -3187,7 +3709,10 @@ example: `init` // =============================================================== -| log.original +| +[[field-log-original]] +<> + | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. @@ -3204,7 +3729,10 @@ example: `Sep 19 08:26:10 localhost My log` // =============================================================== -| log.syslog +| +[[field-log-syslog]] +<> + | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. type: object @@ -3217,7 +3745,10 @@ type: object // =============================================================== -| log.syslog.facility.code +| +[[field-log-syslog-facility-code]] +<> + | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. @@ -3232,7 +3763,10 @@ example: `23` // =============================================================== -| log.syslog.facility.name +| +[[field-log-syslog-facility-name]] +<> + | The Syslog text-based facility of the log event, if available. type: keyword @@ -3245,7 +3779,10 @@ example: `local7` // =============================================================== -| log.syslog.priority +| +[[field-log-syslog-priority]] +<> + | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. @@ -3260,7 +3797,10 @@ example: `135` // =============================================================== -| log.syslog.severity.code +| +[[field-log-syslog-severity-code]] +<> + | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. @@ -3275,7 +3815,10 @@ example: `3` // =============================================================== -| log.syslog.severity.name +| +[[field-log-syslog-severity-name]] +<> + | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. @@ -3308,7 +3851,10 @@ The network.* fields should be populated with details about the network activity // =============================================================== -| network.application +| +[[field-network-application]] +<> + | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". @@ -3323,7 +3869,10 @@ example: `aim` // =============================================================== -| network.bytes +| +[[field-network-bytes]] +<> + | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. @@ -3338,7 +3887,10 @@ example: `368` // =============================================================== -| network.community_id +| +[[field-network-community-id]] +<> + | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. @@ -3353,7 +3905,10 @@ example: `1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=` // =============================================================== -| network.direction +| +[[field-network-direction]] +<> + | Direction of the network traffic. Recommended values are: @@ -3390,7 +3945,10 @@ example: `inbound` // =============================================================== -| network.forwarded_ip +| +[[field-network-forwarded-ip]] +<> + | Host IP address when the source IP address is the proxy. type: ip @@ -3403,7 +3961,10 @@ example: `192.1.1.2` // =============================================================== -| network.iana_number +| +[[field-network-iana-number]] +<> + | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. type: keyword @@ -3416,7 +3977,10 @@ example: `6` // =============================================================== -| network.inner +| +[[field-network-inner]] +<> + | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) type: object @@ -3429,7 +3993,10 @@ type: object // =============================================================== -| network.name +| +[[field-network-name]] +<> + | Name given by operators to sections of their network. type: keyword @@ -3442,7 +4009,10 @@ example: `Guest Wifi` // =============================================================== -| network.packets +| +[[field-network-packets]] +<> + | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. @@ -3457,7 +4027,10 @@ example: `24` // =============================================================== -| network.protocol +| +[[field-network-protocol]] +<> + | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". @@ -3472,7 +4045,10 @@ example: `http` // =============================================================== -| network.transport +| +[[field-network-transport]] +<> + | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". @@ -3487,7 +4063,10 @@ example: `tcp` // =============================================================== -| network.type +| +[[field-network-type]] +<> + | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". @@ -3551,7 +4130,10 @@ This could be a custom hardware appliance or a server that has been configured t // =============================================================== -| observer.egress +| +[[field-observer-egress]] +<> + | Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. type: object @@ -3564,7 +4146,10 @@ type: object // =============================================================== -| observer.egress.zone +| +[[field-observer-egress-zone]] +<> + | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. type: keyword @@ -3577,7 +4162,10 @@ example: `Public_Internet` // =============================================================== -| observer.hostname +| +[[field-observer-hostname]] +<> + | Hostname of the observer. type: keyword @@ -3590,7 +4178,10 @@ type: keyword // =============================================================== -| observer.ingress +| +[[field-observer-ingress]] +<> + | Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. type: object @@ -3603,7 +4194,10 @@ type: object // =============================================================== -| observer.ingress.zone +| +[[field-observer-ingress-zone]] +<> + | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. type: keyword @@ -3616,7 +4210,10 @@ example: `DMZ` // =============================================================== -| observer.ip +| +[[field-observer-ip]] +<> + | IP addresses of the observer. type: ip @@ -3632,7 +4229,10 @@ Note: this field should contain an array of values. // =============================================================== -| observer.mac +| +[[field-observer-mac]] +<> + | MAC addresses of the observer type: keyword @@ -3648,7 +4248,10 @@ Note: this field should contain an array of values. // =============================================================== -| observer.name +| +[[field-observer-name]] +<> + | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. @@ -3665,7 +4268,10 @@ example: `1_proxySG` // =============================================================== -| observer.product +| +[[field-observer-product]] +<> + | The product name of the observer. type: keyword @@ -3678,7 +4284,10 @@ example: `s200` // =============================================================== -| observer.serial_number +| +[[field-observer-serial-number]] +<> + | Observer serial number. type: keyword @@ -3691,7 +4300,10 @@ type: keyword // =============================================================== -| observer.type +| +[[field-observer-type]] +<> + | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. @@ -3706,7 +4318,10 @@ example: `firewall` // =============================================================== -| observer.vendor +| +[[field-observer-vendor]] +<> + | Vendor name of the observer. type: keyword @@ -3719,7 +4334,10 @@ example: `Symantec` // =============================================================== -| observer.version +| +[[field-observer-version]] +<> + | Observer version. type: keyword @@ -3805,7 +4423,10 @@ These fields help you arrange or filter data stored in an index by one or multip // =============================================================== -| organization.id +| +[[field-organization-id]] +<> + | Unique identifier for the organization. type: keyword @@ -3818,7 +4439,10 @@ type: keyword // =============================================================== -| organization.name +| +[[field-organization-name]] +<> + | Organization name. type: keyword @@ -3853,7 +4477,10 @@ The OS fields contain information about the operating system. // =============================================================== -| os.family +| +[[field-os-family]] +<> + | OS family (such as redhat, debian, freebsd, windows). type: keyword @@ -3866,7 +4493,10 @@ example: `debian` // =============================================================== -| os.full +| +[[field-os-full]] +<> + | Operating system name, including the version or code name. type: keyword @@ -3885,7 +4515,10 @@ example: `Mac OS Mojave` // =============================================================== -| os.kernel +| +[[field-os-kernel]] +<> + | Operating system kernel version as a raw string. type: keyword @@ -3898,7 +4531,10 @@ example: `4.4.0-112-generic` // =============================================================== -| os.name +| +[[field-os-name]] +<> + | Operating system name, without the version. type: keyword @@ -3917,7 +4553,10 @@ example: `Mac OS X` // =============================================================== -| os.platform +| +[[field-os-platform]] +<> + | Operating system platform (such centos, ubuntu, windows). type: keyword @@ -3930,7 +4569,10 @@ example: `darwin` // =============================================================== -| os.type +| +[[field-os-type]] +<> + | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. @@ -3947,7 +4589,10 @@ example: `macos` // =============================================================== -| os.version +| +[[field-os-version]] +<> + | Operating system version as a raw string. type: keyword @@ -3986,7 +4631,10 @@ These fields contain information about an installed software package. It contain // =============================================================== -| package.architecture +| +[[field-package-architecture]] +<> + | Package architecture. type: keyword @@ -3999,7 +4647,10 @@ example: `x86_64` // =============================================================== -| package.build_version +| +[[field-package-build-version]] +<> + | Additional information about the build version of the installed package. For example use the commit SHA of a non-released package. @@ -4014,7 +4665,10 @@ example: `36f4f7e89dd61b0988b12ee000b98966867710cd` // =============================================================== -| package.checksum +| +[[field-package-checksum]] +<> + | Checksum of the installed package for verification. type: keyword @@ -4027,7 +4681,10 @@ example: `68b329da9893e34099c7d8ad5cb9c940` // =============================================================== -| package.description +| +[[field-package-description]] +<> + | Description of the package. type: keyword @@ -4040,7 +4697,10 @@ example: `Open source programming language to build simple/reliable/efficient so // =============================================================== -| package.install_scope +| +[[field-package-install-scope]] +<> + | Indicating how the package was installed, e.g. user-local, global. type: keyword @@ -4053,7 +4713,10 @@ example: `global` // =============================================================== -| package.installed +| +[[field-package-installed]] +<> + | Time when package was installed. type: date @@ -4066,7 +4729,10 @@ type: date // =============================================================== -| package.license +| +[[field-package-license]] +<> + | License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). @@ -4081,7 +4747,10 @@ example: `Apache License 2.0` // =============================================================== -| package.name +| +[[field-package-name]] +<> + | Package name type: keyword @@ -4094,7 +4763,10 @@ example: `go` // =============================================================== -| package.path +| +[[field-package-path]] +<> + | Path where the package is installed. type: keyword @@ -4107,7 +4779,10 @@ example: `/usr/local/Cellar/go/1.12.9/` // =============================================================== -| package.reference +| +[[field-package-reference]] +<> + | Home page or reference URL of the software in this package, if available. type: keyword @@ -4120,7 +4795,10 @@ example: `https://golang.org` // =============================================================== -| package.size +| +[[field-package-size]] +<> + | Package size in bytes. type: long @@ -4133,7 +4811,10 @@ example: `62231` // =============================================================== -| package.type +| +[[field-package-type]] +<> + | Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. @@ -4148,7 +4829,10 @@ example: `rpm` // =============================================================== -| package.version +| +[[field-package-version]] +<> + | Package version type: keyword @@ -4177,7 +4861,10 @@ These fields contain Windows Portable Executable (PE) metadata. // =============================================================== -| pe.architecture +| +[[field-pe-architecture]] +<> + | CPU architecture target for the file. type: keyword @@ -4190,7 +4877,10 @@ example: `x64` // =============================================================== -| pe.company +| +[[field-pe-company]] +<> + | Internal company name of the file, provided at compile-time. type: keyword @@ -4203,7 +4893,10 @@ example: `Microsoft Corporation` // =============================================================== -| pe.description +| +[[field-pe-description]] +<> + | Internal description of the file, provided at compile-time. type: keyword @@ -4216,7 +4909,10 @@ example: `Paint` // =============================================================== -| pe.file_version +| +[[field-pe-file-version]] +<> + | Internal version of the file, provided at compile-time. type: keyword @@ -4229,7 +4925,10 @@ example: `6.3.9600.17415` // =============================================================== -| pe.imphash +| +[[field-pe-imphash]] +<> + | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. @@ -4244,7 +4943,10 @@ example: `0c6803c4e922103c4dca5963aad36ddf` // =============================================================== -| pe.original_file_name +| +[[field-pe-original-file-name]] +<> + | Internal name of the file, provided at compile-time. type: keyword @@ -4257,7 +4959,10 @@ example: `MSPAINT.EXE` // =============================================================== -| pe.product +| +[[field-pe-product]] +<> + | Internal product name of the file, provided at compile-time. type: keyword @@ -4298,7 +5003,10 @@ These fields can help you correlate metrics information with a process id/name f // =============================================================== -| process.args +| +[[field-process-args]] +<> + | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. @@ -4316,7 +5024,10 @@ example: `["/usr/bin/ssh", "-l", "user", "10.0.0.16"]` // =============================================================== -| process.args_count +| +[[field-process-args-count]] +<> + | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. @@ -4331,7 +5042,10 @@ example: `4` // =============================================================== -| process.command_line +| +[[field-process-command-line]] +<> + | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. @@ -4352,7 +5066,10 @@ example: `/usr/bin/ssh -l user 10.0.0.16` // =============================================================== -| process.entity_id +| +[[field-process-entity-id]] +<> + | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. @@ -4369,7 +5086,10 @@ example: `c2c455d9f99375d` // =============================================================== -| process.executable +| +[[field-process-executable]] +<> + | Absolute path to the process executable. type: keyword @@ -4388,7 +5108,10 @@ example: `/usr/bin/ssh` // =============================================================== -| process.exit_code +| +[[field-process-exit-code]] +<> + | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). @@ -4403,7 +5126,10 @@ example: `137` // =============================================================== -| process.name +| +[[field-process-name]] +<> + | Process name. Sometimes called program name or similar. @@ -4424,7 +5150,10 @@ example: `ssh` // =============================================================== -| process.pgid +| +[[field-process-pgid]] +<> + | Identifier of the group of processes the process belongs to. type: long @@ -4437,7 +5166,10 @@ type: long // =============================================================== -| process.pid +| +[[field-process-pid]] +<> + | Process id. type: long @@ -4450,7 +5182,10 @@ example: `4242` // =============================================================== -| process.ppid +| +[[field-process-ppid]] +<> + | Parent process' pid. type: long @@ -4463,7 +5198,10 @@ example: `4241` // =============================================================== -| process.start +| +[[field-process-start]] +<> + | The time the process started. type: date @@ -4476,7 +5214,10 @@ example: `2016-05-23T08:05:34.853Z` // =============================================================== -| process.thread.id +| +[[field-process-thread-id]] +<> + | Thread ID. type: long @@ -4489,7 +5230,10 @@ example: `4242` // =============================================================== -| process.thread.name +| +[[field-process-thread-name]] +<> + | Thread name. type: keyword @@ -4502,7 +5246,10 @@ example: `thread-0` // =============================================================== -| process.title +| +[[field-process-title]] +<> + | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. @@ -4523,7 +5270,10 @@ Multi-fields: // =============================================================== -| process.uptime +| +[[field-process-uptime]] +<> + | Seconds the process has been up. type: long @@ -4536,7 +5286,10 @@ example: `1325` // =============================================================== -| process.working_directory +| +[[field-process-working-directory]] +<> + | The working directory of the process. type: keyword @@ -4618,7 +5371,10 @@ Fields related to Windows Registry operations. // =============================================================== -| registry.data.bytes +| +[[field-registry-data-bytes]] +<> + | Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. @@ -4633,7 +5389,10 @@ example: `ZQBuAC0AVQBTAAAAZQBuAAAAAAA=` // =============================================================== -| registry.data.strings +| +[[field-registry-data-strings]] +<> + | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). @@ -4651,7 +5410,10 @@ example: `["C:\rta\red_ttp\bin\myapp.exe"]` // =============================================================== -| registry.data.type +| +[[field-registry-data-type]] +<> + | Standard registry type for encoding contents type: keyword @@ -4664,7 +5426,10 @@ example: `REG_SZ` // =============================================================== -| registry.hive +| +[[field-registry-hive]] +<> + | Abbreviated name for the hive. type: keyword @@ -4677,7 +5442,10 @@ example: `HKLM` // =============================================================== -| registry.key +| +[[field-registry-key]] +<> + | Hive-relative path of keys. type: keyword @@ -4690,7 +5458,10 @@ example: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti // =============================================================== -| registry.path +| +[[field-registry-path]] +<> + | Full path, including hive, key and value type: keyword @@ -4703,7 +5474,10 @@ example: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution // =============================================================== -| registry.value +| +[[field-registry-value]] +<> + | Name of the value written. type: keyword @@ -4736,7 +5510,10 @@ A concrete example is IP addresses, which can be under host, observer, source, d // =============================================================== -| related.hash +| +[[field-related-hash]] +<> + | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). type: keyword @@ -4752,7 +5529,10 @@ Note: this field should contain an array of values. // =============================================================== -| related.hosts +| +[[field-related-hosts]] +<> + | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. type: keyword @@ -4768,7 +5548,10 @@ Note: this field should contain an array of values. // =============================================================== -| related.ip +| +[[field-related-ip]] +<> + | All of the IPs seen on your event. type: ip @@ -4784,7 +5567,10 @@ Note: this field should contain an array of values. // =============================================================== -| related.user +| +[[field-related-user]] +<> + | All the user names seen on your event. type: keyword @@ -4818,7 +5604,10 @@ Examples of data sources that would populate the rule fields include: network ad // =============================================================== -| rule.author +| +[[field-rule-author]] +<> + | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. type: keyword @@ -4834,7 +5623,10 @@ example: `["Star-Lord"]` // =============================================================== -| rule.category +| +[[field-rule-category]] +<> + | A categorization value keyword used by the entity using the rule for detection of this event. type: keyword @@ -4847,7 +5639,10 @@ example: `Attempted Information Leak` // =============================================================== -| rule.description +| +[[field-rule-description]] +<> + | The description of the rule generating the event. type: keyword @@ -4860,7 +5655,10 @@ example: `Block requests to public DNS over HTTPS / TLS protocols` // =============================================================== -| rule.id +| +[[field-rule-id]] +<> + | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. type: keyword @@ -4873,7 +5671,10 @@ example: `101` // =============================================================== -| rule.license +| +[[field-rule-license]] +<> + | Name of the license under which the rule used to generate this event is made available. type: keyword @@ -4886,7 +5687,10 @@ example: `Apache 2.0` // =============================================================== -| rule.name +| +[[field-rule-name]] +<> + | The name of the rule or signature generating the event. type: keyword @@ -4899,7 +5703,10 @@ example: `BLOCK_DNS_over_TLS` // =============================================================== -| rule.reference +| +[[field-rule-reference]] +<> + | Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. @@ -4914,7 +5721,10 @@ example: `https://en.wikipedia.org/wiki/DNS_over_TLS` // =============================================================== -| rule.ruleset +| +[[field-rule-ruleset]] +<> + | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. type: keyword @@ -4927,7 +5737,10 @@ example: `Standard_Protocol_Filters` // =============================================================== -| rule.uuid +| +[[field-rule-uuid]] +<> + | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. type: keyword @@ -4940,7 +5753,10 @@ example: `1100110011` // =============================================================== -| rule.version +| +[[field-rule-version]] +<> + | The version / revision of the rule being used for analysis. type: keyword @@ -4973,7 +5789,10 @@ Client / server representations can add semantic context to an exchange, which i // =============================================================== -| server.address +| +[[field-server-address]] +<> + | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -4988,7 +5807,10 @@ type: keyword // =============================================================== -| server.bytes +| +[[field-server-bytes]] +<> + | Bytes sent from the server to the client. type: long @@ -5001,7 +5823,10 @@ example: `184` // =============================================================== -| server.domain +| +[[field-server-domain]] +<> + | Server domain. type: keyword @@ -5014,7 +5839,10 @@ type: keyword // =============================================================== -| server.ip +| +[[field-server-ip]] +<> + | IP address of the server (IPv4 or IPv6). type: ip @@ -5027,7 +5855,10 @@ type: ip // =============================================================== -| server.mac +| +[[field-server-mac]] +<> + | MAC address of the server. type: keyword @@ -5040,7 +5871,10 @@ type: keyword // =============================================================== -| server.nat.ip +| +[[field-server-nat-ip]] +<> + | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. @@ -5055,7 +5889,10 @@ type: ip // =============================================================== -| server.nat.port +| +[[field-server-nat-port]] +<> + | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. @@ -5070,7 +5907,10 @@ type: long // =============================================================== -| server.packets +| +[[field-server-packets]] +<> + | Packets sent from the server to the client. type: long @@ -5083,7 +5923,10 @@ example: `12` // =============================================================== -| server.port +| +[[field-server-port]] +<> + | Port of the server. type: long @@ -5096,7 +5939,10 @@ type: long // =============================================================== -| server.registered_domain +| +[[field-server-registered-domain]] +<> + | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -5113,7 +5959,10 @@ example: `example.com` // =============================================================== -| server.subdomain +| +[[field-server-subdomain]] +<> + | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. @@ -5128,7 +5977,10 @@ example: `east` // =============================================================== -| server.top_level_domain +| +[[field-server-top-level-domain]] +<> + | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". @@ -5198,7 +6050,10 @@ These fields help you find and correlate logs for a specific service and version // =============================================================== -| service.ephemeral_id +| +[[field-service-ephemeral-id]] +<> + | Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not. @@ -5213,7 +6068,10 @@ example: `8a4f500f` // =============================================================== -| service.id +| +[[field-service-id]] +<> + | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. @@ -5230,7 +6088,10 @@ example: `d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6` // =============================================================== -| service.name +| +[[field-service-name]] +<> + | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. @@ -5247,7 +6108,10 @@ example: `elasticsearch-metrics` // =============================================================== -| service.node.name +| +[[field-service-node-name]] +<> + | Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. @@ -5264,7 +6128,10 @@ example: `instance-0000000016` // =============================================================== -| service.state +| +[[field-service-state]] +<> + | Current state of the service. type: keyword @@ -5277,7 +6144,10 @@ type: keyword // =============================================================== -| service.type +| +[[field-service-type]] +<> + | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. @@ -5294,7 +6164,10 @@ example: `elasticsearch` // =============================================================== -| service.version +| +[[field-service-version]] +<> + | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. @@ -5327,7 +6200,10 @@ Source fields are usually populated in conjunction with destination fields. The // =============================================================== -| source.address +| +[[field-source-address]] +<> + | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. @@ -5342,7 +6218,10 @@ type: keyword // =============================================================== -| source.bytes +| +[[field-source-bytes]] +<> + | Bytes sent from the source to the destination. type: long @@ -5355,7 +6234,10 @@ example: `184` // =============================================================== -| source.domain +| +[[field-source-domain]] +<> + | Source domain. type: keyword @@ -5368,7 +6250,10 @@ type: keyword // =============================================================== -| source.ip +| +[[field-source-ip]] +<> + | IP address of the source (IPv4 or IPv6). type: ip @@ -5381,7 +6266,10 @@ type: ip // =============================================================== -| source.mac +| +[[field-source-mac]] +<> + | MAC address of the source. type: keyword @@ -5394,7 +6282,10 @@ type: keyword // =============================================================== -| source.nat.ip +| +[[field-source-nat-ip]] +<> + | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. @@ -5409,7 +6300,10 @@ type: ip // =============================================================== -| source.nat.port +| +[[field-source-nat-port]] +<> + | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. @@ -5424,7 +6318,10 @@ type: long // =============================================================== -| source.packets +| +[[field-source-packets]] +<> + | Packets sent from the source to the destination. type: long @@ -5437,7 +6334,10 @@ example: `12` // =============================================================== -| source.port +| +[[field-source-port]] +<> + | Port of the source. type: long @@ -5450,7 +6350,10 @@ type: long // =============================================================== -| source.registered_domain +| +[[field-source-registered-domain]] +<> + | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -5467,7 +6370,10 @@ example: `example.com` // =============================================================== -| source.subdomain +| +[[field-source-subdomain]] +<> + | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. @@ -5482,7 +6388,10 @@ example: `east` // =============================================================== -| source.top_level_domain +| +[[field-source-top-level-domain]] +<> + | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". @@ -5552,7 +6461,10 @@ These fields are for users to classify alerts from all of their sources (e.g. ID // =============================================================== -| threat.framework +| +[[field-threat-framework]] +<> + | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. type: keyword @@ -5565,7 +6477,10 @@ example: `MITRE ATT&CK` // =============================================================== -| threat.tactic.id +| +[[field-threat-tactic-id]] +<> + | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword @@ -5581,7 +6496,10 @@ example: `TA0002` // =============================================================== -| threat.tactic.name +| +[[field-threat-tactic-name]] +<> + | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) type: keyword @@ -5597,7 +6515,10 @@ example: `Execution` // =============================================================== -| threat.tactic.reference +| +[[field-threat-tactic-reference]] +<> + | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword @@ -5613,7 +6534,10 @@ example: `https://attack.mitre.org/tactics/TA0002/` // =============================================================== -| threat.technique.id +| +[[field-threat-technique-id]] +<> + | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -5629,7 +6553,10 @@ example: `T1059` // =============================================================== -| threat.technique.name +| +[[field-threat-technique-name]] +<> + | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -5651,7 +6578,10 @@ example: `Command and Scripting Interpreter` // =============================================================== -| threat.technique.reference +| +[[field-threat-technique-reference]] +<> + | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -5667,7 +6597,10 @@ example: `https://attack.mitre.org/techniques/T1059/` // =============================================================== -| threat.technique.subtechnique.id +| +[[field-threat-technique-subtechnique-id]] +<> + | The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword @@ -5683,7 +6616,10 @@ example: `T1059.001` // =============================================================== -| threat.technique.subtechnique.name +| +[[field-threat-technique-subtechnique-name]] +<> + | The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword @@ -5705,7 +6641,10 @@ example: `PowerShell` // =============================================================== -| threat.technique.subtechnique.reference +| +[[field-threat-technique-subtechnique-reference]] +<> + | The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword @@ -5737,7 +6676,10 @@ Fields related to a TLS connection. These fields focus on the TLS protocol itsel // =============================================================== -| tls.cipher +| +[[field-tls-cipher]] +<> + | String indicating the cipher used during the current connection. type: keyword @@ -5750,7 +6692,10 @@ example: `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` // =============================================================== -| tls.client.certificate +| +[[field-tls-client-certificate]] +<> + | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. type: keyword @@ -5763,7 +6708,10 @@ example: `MII...` // =============================================================== -| tls.client.certificate_chain +| +[[field-tls-client-certificate-chain]] +<> + | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. type: keyword @@ -5779,7 +6727,10 @@ example: `["MII...", "MII..."]` // =============================================================== -| tls.client.hash.md5 +| +[[field-tls-client-hash-md5]] +<> + | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword @@ -5792,7 +6743,10 @@ example: `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC` // =============================================================== -| tls.client.hash.sha1 +| +[[field-tls-client-hash-sha1]] +<> + | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword @@ -5805,7 +6759,10 @@ example: `9E393D93138888D288266C2D915214D1D1CCEB2A` // =============================================================== -| tls.client.hash.sha256 +| +[[field-tls-client-hash-sha256]] +<> + | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword @@ -5818,7 +6775,10 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` // =============================================================== -| tls.client.issuer +| +[[field-tls-client-issuer]] +<> + | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. type: keyword @@ -5831,7 +6791,10 @@ example: `CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com` // =============================================================== -| tls.client.ja3 +| +[[field-tls-client-ja3]] +<> + | A hash that identifies clients based on how they perform an SSL/TLS handshake. type: keyword @@ -5844,7 +6807,10 @@ example: `d4e5b18d6b55c71272893221c96ba240` // =============================================================== -| tls.client.not_after +| +[[field-tls-client-not-after]] +<> + | Date/Time indicating when client certificate is no longer considered valid. type: date @@ -5857,7 +6823,10 @@ example: `2021-01-01T00:00:00.000Z` // =============================================================== -| tls.client.not_before +| +[[field-tls-client-not-before]] +<> + | Date/Time indicating when client certificate is first considered valid. type: date @@ -5870,7 +6839,10 @@ example: `1970-01-01T00:00:00.000Z` // =============================================================== -| tls.client.server_name +| +[[field-tls-client-server-name]] +<> + | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. type: keyword @@ -5883,7 +6855,10 @@ example: `www.elastic.co` // =============================================================== -| tls.client.subject +| +[[field-tls-client-subject]] +<> + | Distinguished name of subject of the x.509 certificate presented by the client. type: keyword @@ -5896,7 +6871,10 @@ example: `CN=myclient, OU=Documentation Team, DC=example, DC=com` // =============================================================== -| tls.client.supported_ciphers +| +[[field-tls-client-supported-ciphers]] +<> + | Array of ciphers offered by the client during the client hello. type: keyword @@ -5912,7 +6890,10 @@ example: `["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_25 // =============================================================== -| tls.curve +| +[[field-tls-curve]] +<> + | String indicating the curve used for the given cipher, when applicable. type: keyword @@ -5925,7 +6906,10 @@ example: `secp256r1` // =============================================================== -| tls.established +| +[[field-tls-established]] +<> + | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. type: boolean @@ -5938,7 +6922,10 @@ type: boolean // =============================================================== -| tls.next_protocol +| +[[field-tls-next-protocol]] +<> + | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword @@ -5951,7 +6938,10 @@ example: `http/1.1` // =============================================================== -| tls.resumed +| +[[field-tls-resumed]] +<> + | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. type: boolean @@ -5964,7 +6954,10 @@ type: boolean // =============================================================== -| tls.server.certificate +| +[[field-tls-server-certificate]] +<> + | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. type: keyword @@ -5977,7 +6970,10 @@ example: `MII...` // =============================================================== -| tls.server.certificate_chain +| +[[field-tls-server-certificate-chain]] +<> + | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. type: keyword @@ -5993,7 +6989,10 @@ example: `["MII...", "MII..."]` // =============================================================== -| tls.server.hash.md5 +| +[[field-tls-server-hash-md5]] +<> + | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword @@ -6006,7 +7005,10 @@ example: `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC` // =============================================================== -| tls.server.hash.sha1 +| +[[field-tls-server-hash-sha1]] +<> + | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword @@ -6019,7 +7021,10 @@ example: `9E393D93138888D288266C2D915214D1D1CCEB2A` // =============================================================== -| tls.server.hash.sha256 +| +[[field-tls-server-hash-sha256]] +<> + | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword @@ -6032,7 +7037,10 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` // =============================================================== -| tls.server.issuer +| +[[field-tls-server-issuer]] +<> + | Subject of the issuer of the x.509 certificate presented by the server. type: keyword @@ -6045,7 +7053,10 @@ example: `CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com` // =============================================================== -| tls.server.ja3s +| +[[field-tls-server-ja3s]] +<> + | A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword @@ -6058,7 +7069,10 @@ example: `394441ab65754e2207b1e1b457b3641d` // =============================================================== -| tls.server.not_after +| +[[field-tls-server-not-after]] +<> + | Timestamp indicating when server certificate is no longer considered valid. type: date @@ -6071,7 +7085,10 @@ example: `2021-01-01T00:00:00.000Z` // =============================================================== -| tls.server.not_before +| +[[field-tls-server-not-before]] +<> + | Timestamp indicating when server certificate is first considered valid. type: date @@ -6084,7 +7101,10 @@ example: `1970-01-01T00:00:00.000Z` // =============================================================== -| tls.server.subject +| +[[field-tls-server-subject]] +<> + | Subject of the x.509 certificate presented by the server. type: keyword @@ -6097,7 +7117,10 @@ example: `CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com` // =============================================================== -| tls.version +| +[[field-tls-version]] +<> + | Numeric part of the version parsed from the original string. type: keyword @@ -6110,7 +7133,10 @@ example: `1.2` // =============================================================== -| tls.version_protocol +| +[[field-tls-version-protocol]] +<> + | Normalized lowercase protocol name parsed from original string. type: keyword @@ -6170,7 +7196,10 @@ Distributed tracing makes it possible to analyze performance throughout a micros // =============================================================== -| span.id +| +[[field-span-id]] +<> + | Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query. @@ -6185,7 +7214,10 @@ example: `3ff9a8981b7ccd5a` // =============================================================== -| trace.id +| +[[field-trace-id]] +<> + | Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. @@ -6200,7 +7232,10 @@ example: `4bf92f3577b34da6a3ce929d0e0e4736` // =============================================================== -| transaction.id +| +[[field-transaction-id]] +<> + | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. @@ -6231,7 +7266,10 @@ URL fields provide support for complete or partial URLs, and supports the breaki // =============================================================== -| url.domain +| +[[field-url-domain]] +<> + | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. @@ -6246,7 +7284,10 @@ example: `www.elastic.co` // =============================================================== -| url.extension +| +[[field-url-extension]] +<> + | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. @@ -6265,7 +7306,10 @@ example: `png` // =============================================================== -| url.fragment +| +[[field-url-fragment]] +<> + | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. @@ -6280,7 +7324,10 @@ type: keyword // =============================================================== -| url.full +| +[[field-url-full]] +<> + | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. type: keyword @@ -6299,7 +7346,10 @@ example: `https://www.elastic.co:443/search?q=elasticsearch#top` // =============================================================== -| url.original +| +[[field-url-original]] +<> + | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. @@ -6322,7 +7372,10 @@ example: `https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=ela // =============================================================== -| url.password +| +[[field-url-password]] +<> + | Password of the request. type: keyword @@ -6335,7 +7388,10 @@ type: keyword // =============================================================== -| url.path +| +[[field-url-path]] +<> + | Path of the request, such as "/search". type: keyword @@ -6348,7 +7404,10 @@ type: keyword // =============================================================== -| url.port +| +[[field-url-port]] +<> + | Port of the request, such as 443. type: long @@ -6361,7 +7420,10 @@ example: `443` // =============================================================== -| url.query +| +[[field-url-query]] +<> + | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. @@ -6376,7 +7438,10 @@ type: keyword // =============================================================== -| url.registered_domain +| +[[field-url-registered-domain]] +<> + | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -6393,7 +7458,10 @@ example: `example.com` // =============================================================== -| url.scheme +| +[[field-url-scheme]] +<> + | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. @@ -6408,7 +7476,10 @@ example: `https` // =============================================================== -| url.subdomain +| +[[field-url-subdomain]] +<> + | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. @@ -6423,7 +7494,10 @@ example: `east` // =============================================================== -| url.top_level_domain +| +[[field-url-top-level-domain]] +<> + | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". @@ -6438,7 +7512,10 @@ example: `co.uk` // =============================================================== -| url.username +| +[[field-url-username]] +<> + | Username of the request. type: keyword @@ -6469,7 +7546,10 @@ Fields can have one entry or multiple entries. If a user has more than one id, p // =============================================================== -| user.domain +| +[[field-user-domain]] +<> + | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. @@ -6484,7 +7564,10 @@ type: keyword // =============================================================== -| user.email +| +[[field-user-email]] +<> + | User email address. type: keyword @@ -6497,7 +7580,10 @@ type: keyword // =============================================================== -| user.full_name +| +[[field-user-full-name]] +<> + | User's full name, if available. type: keyword @@ -6516,7 +7602,10 @@ example: `Albert Einstein` // =============================================================== -| user.hash +| +[[field-user-hash]] +<> + | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. @@ -6531,7 +7620,10 @@ type: keyword // =============================================================== -| user.id +| +[[field-user-id]] +<> + | Unique identifier of the user. type: keyword @@ -6544,7 +7636,10 @@ type: keyword // =============================================================== -| user.name +| +[[field-user-name]] +<> + | Short name or login of the user. type: keyword @@ -6563,7 +7658,10 @@ example: `albert` // =============================================================== -| user.roles +| +[[field-user-roles]] +<> + | Array of user roles at the time of the event. type: keyword @@ -6626,7 +7724,10 @@ They often show up in web service logs coming from the parsed user agent string. // =============================================================== -| user_agent.device.name +| +[[field-user-agent-device-name]] +<> + | Name of the device. type: keyword @@ -6639,7 +7740,10 @@ example: `iPhone` // =============================================================== -| user_agent.name +| +[[field-user-agent-name]] +<> + | Name of the user agent. type: keyword @@ -6652,7 +7756,10 @@ example: `Safari` // =============================================================== -| user_agent.original +| +[[field-user-agent-original]] +<> + | Unparsed user_agent string. type: keyword @@ -6671,7 +7778,10 @@ example: `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605 // =============================================================== -| user_agent.version +| +[[field-user-agent-version]] +<> + | Version of the user agent. type: keyword @@ -6731,7 +7841,10 @@ Observer.ingress and observer.egress VLAN values are used to record observer spe // =============================================================== -| vlan.id +| +[[field-vlan-id]] +<> + | VLAN ID as reported by the observer. type: keyword @@ -6744,7 +7857,10 @@ example: `10` // =============================================================== -| vlan.name +| +[[field-vlan-name]] +<> + | Optional VLAN name as reported by the observer. type: keyword @@ -6783,7 +7899,10 @@ The vulnerability fields describe information about a vulnerability that is rele // =============================================================== -| vulnerability.category +| +[[field-vulnerability-category]] +<> + | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. @@ -6801,7 +7920,10 @@ example: `["Firewall"]` // =============================================================== -| vulnerability.classification +| +[[field-vulnerability-classification]] +<> + | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) type: keyword @@ -6814,7 +7936,10 @@ example: `CVSS` // =============================================================== -| vulnerability.description +| +[[field-vulnerability-description]] +<> + | The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) type: keyword @@ -6833,7 +7958,10 @@ example: `In macOS before 2.12.6, there is a vulnerability in the RPC...` // =============================================================== -| vulnerability.enumeration +| +[[field-vulnerability-enumeration]] +<> + | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) type: keyword @@ -6846,7 +7974,10 @@ example: `CVE` // =============================================================== -| vulnerability.id +| +[[field-vulnerability-id]] +<> + | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] type: keyword @@ -6859,7 +7990,10 @@ example: `CVE-2019-00001` // =============================================================== -| vulnerability.reference +| +[[field-vulnerability-reference]] +<> + | A resource that provides additional information, context, and mitigations for the identified vulnerability. type: keyword @@ -6872,7 +8006,10 @@ example: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111` // =============================================================== -| vulnerability.report_id +| +[[field-vulnerability-report-id]] +<> + | The report or scan identification number. type: keyword @@ -6885,7 +8022,10 @@ example: `20191018.0001` // =============================================================== -| vulnerability.scanner.vendor +| +[[field-vulnerability-scanner-vendor]] +<> + | The name of the vulnerability scanner vendor. type: keyword @@ -6898,7 +8038,10 @@ example: `Tenable` // =============================================================== -| vulnerability.score.base +| +[[field-vulnerability-score-base]] +<> + | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) @@ -6913,7 +8056,10 @@ example: `5.5` // =============================================================== -| vulnerability.score.environmental +| +[[field-vulnerability-score-environmental]] +<> + | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) @@ -6928,7 +8074,10 @@ example: `5.5` // =============================================================== -| vulnerability.score.temporal +| +[[field-vulnerability-score-temporal]] +<> + | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) @@ -6943,7 +8092,10 @@ type: float // =============================================================== -| vulnerability.score.version +| +[[field-vulnerability-score-version]] +<> + | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) @@ -6958,7 +8110,10 @@ example: `2.0` // =============================================================== -| vulnerability.severity +| +[[field-vulnerability-severity]] +<> + | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword @@ -6991,7 +8146,10 @@ Events that contain certificate information about network connections, should us // =============================================================== -| x509.alternative_names +| +[[field-x509-alternative-names]] +<> + | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword @@ -7007,7 +8165,10 @@ example: `*.elastic.co` // =============================================================== -| x509.issuer.common_name +| +[[field-x509-issuer-common-name]] +<> + | List of common name (CN) of issuing certificate authority. type: keyword @@ -7023,7 +8184,10 @@ example: `Example SHA2 High Assurance Server CA` // =============================================================== -| x509.issuer.country +| +[[field-x509-issuer-country]] +<> + | List of country (C) codes type: keyword @@ -7039,7 +8203,10 @@ example: `US` // =============================================================== -| x509.issuer.distinguished_name +| +[[field-x509-issuer-distinguished-name]] +<> + | Distinguished name (DN) of issuing certificate authority. type: keyword @@ -7052,7 +8219,10 @@ example: `C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assuranc // =============================================================== -| x509.issuer.locality +| +[[field-x509-issuer-locality]] +<> + | List of locality names (L) type: keyword @@ -7068,7 +8238,10 @@ example: `Mountain View` // =============================================================== -| x509.issuer.organization +| +[[field-x509-issuer-organization]] +<> + | List of organizations (O) of issuing certificate authority. type: keyword @@ -7084,7 +8257,10 @@ example: `Example Inc` // =============================================================== -| x509.issuer.organizational_unit +| +[[field-x509-issuer-organizational-unit]] +<> + | List of organizational units (OU) of issuing certificate authority. type: keyword @@ -7100,7 +8276,10 @@ example: `www.example.com` // =============================================================== -| x509.issuer.state_or_province +| +[[field-x509-issuer-state-or-province]] +<> + | List of state or province names (ST, S, or P) type: keyword @@ -7116,7 +8295,10 @@ example: `California` // =============================================================== -| x509.not_after +| +[[field-x509-not-after]] +<> + | Time at which the certificate is no longer considered valid. type: date @@ -7129,7 +8311,10 @@ example: `2020-07-16 03:15:39+00:00` // =============================================================== -| x509.not_before +| +[[field-x509-not-before]] +<> + | Time at which the certificate is first considered valid. type: date @@ -7142,7 +8327,10 @@ example: `2019-08-16 01:40:25+00:00` // =============================================================== -| x509.public_key_algorithm +| +[[field-x509-public-key-algorithm]] +<> + | Algorithm used to generate the public key. type: keyword @@ -7155,7 +8343,10 @@ example: `RSA` // =============================================================== -| x509.public_key_curve +| +[[field-x509-public-key-curve]] +<> + | The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword @@ -7168,7 +8359,10 @@ example: `nistp521` // =============================================================== -| x509.public_key_exponent +| +[[field-x509-public-key-exponent]] +<> + | Exponent used to derive the public key. This is algorithm specific. type: long @@ -7181,7 +8375,10 @@ example: `65537` // =============================================================== -| x509.public_key_size +| +[[field-x509-public-key-size]] +<> + | The size of the public key space in bits. type: long @@ -7194,7 +8391,10 @@ example: `2048` // =============================================================== -| x509.serial_number +| +[[field-x509-serial-number]] +<> + | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword @@ -7207,7 +8407,10 @@ example: `55FBB9C7DEBF09809D12CCAA` // =============================================================== -| x509.signature_algorithm +| +[[field-x509-signature-algorithm]] +<> + | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword @@ -7220,7 +8423,10 @@ example: `SHA256-RSA` // =============================================================== -| x509.subject.common_name +| +[[field-x509-subject-common-name]] +<> + | List of common names (CN) of subject. type: keyword @@ -7236,7 +8442,10 @@ example: `shared.global.example.net` // =============================================================== -| x509.subject.country +| +[[field-x509-subject-country]] +<> + | List of country (C) code type: keyword @@ -7252,7 +8461,10 @@ example: `US` // =============================================================== -| x509.subject.distinguished_name +| +[[field-x509-subject-distinguished-name]] +<> + | Distinguished name (DN) of the certificate subject entity. type: keyword @@ -7265,7 +8477,10 @@ example: `C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.globa // =============================================================== -| x509.subject.locality +| +[[field-x509-subject-locality]] +<> + | List of locality names (L) type: keyword @@ -7281,7 +8496,10 @@ example: `San Francisco` // =============================================================== -| x509.subject.organization +| +[[field-x509-subject-organization]] +<> + | List of organizations (O) of subject. type: keyword @@ -7297,7 +8515,10 @@ example: `Example, Inc.` // =============================================================== -| x509.subject.organizational_unit +| +[[field-x509-subject-organizational-unit]] +<> + | List of organizational units (OU) of subject. type: keyword @@ -7313,7 +8534,10 @@ Note: this field should contain an array of values. // =============================================================== -| x509.subject.state_or_province +| +[[field-x509-subject-state-or-province]] +<> + | List of state or province names (ST, S, or P) type: keyword @@ -7329,7 +8553,10 @@ example: `California` // =============================================================== -| x509.version_number +| +[[field-x509-version-number]] +<> + | Version of x509 format. type: keyword diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 12da870f3a..a53975d700 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1,5 +1,5 @@ '@timestamp': - dashed_name: -timestamp + dashed_name: timestamp description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 84f21b05b8..ae2bf5b32c 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -158,7 +158,7 @@ base: events. These fields are common across all types of events. fields: '@timestamp': - dashed_name: -timestamp + dashed_name: timestamp description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index a4b7a0450b..cfee8c876f 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1,5 +1,5 @@ '@timestamp': - dashed_name: -timestamp + dashed_name: timestamp description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when the diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 72bea8756d..6c05ca5aba 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -160,7 +160,7 @@ base: events. These fields are common across all types of events. fields: '@timestamp': - dashed_name: -timestamp + dashed_name: timestamp description: 'Date/time when the event originated. This is the date/time extracted from the event, typically representing when diff --git a/scripts/schema/finalizer.py b/scripts/schema/finalizer.py index d1b4928507..3ae41acf41 100644 --- a/scripts/schema/finalizer.py +++ b/scripts/schema/finalizer.py @@ -176,7 +176,7 @@ def field_finalizer(details, path): name_array = path + [details['field_details']['node_name']] flat_name = '.'.join(name_array) details['field_details']['flat_name'] = flat_name - details['field_details']['dashed_name'] = re.sub('[@_\.]', '-', flat_name) + details['field_details']['dashed_name'] = re.sub('[_\.]', '-', flat_name).replace('@', '') if 'multi_fields' in details['field_details']: for mf in details['field_details']['multi_fields']: mf['flat_name'] = flat_name + '.' + mf['name'] diff --git a/scripts/templates/field_details.j2 b/scripts/templates/field_details.j2 index 643c2ccf5d..6e606f8783 100644 --- a/scripts/templates/field_details.j2 +++ b/scripts/templates/field_details.j2 @@ -32,7 +32,10 @@ beta::[ {{ fieldset['beta'] }}] {% if 'original_fieldset' not in field -%} {# `Field` column -#} -| {{ field['flat_name'] }} +| +[[field-{{field['dashed_name']}}]] +<> + {# `Description` column -#} {#- Beta fields will add the `beta` label -#} {% if field['beta'] -%} diff --git a/scripts/tests/unit/test_schema_finalizer.py b/scripts/tests/unit/test_schema_finalizer.py index cea5c01e6d..7f016351d8 100644 --- a/scripts/tests/unit/test_schema_finalizer.py +++ b/scripts/tests/unit/test_schema_finalizer.py @@ -268,7 +268,7 @@ def test_calculate_final_values(self): timestamp_details = base_fields['@timestamp']['field_details'] self.assertEqual(timestamp_details['flat_name'], '@timestamp', "Field sets with root=true must not namespace field names with the field set's name") - self.assertEqual(timestamp_details['dashed_name'], '-timestamp') + self.assertEqual(timestamp_details['dashed_name'], 'timestamp') # root=false self.assertEqual(server_fields['ip']['field_details']['flat_name'], 'server.ip', "Field sets with root=false must namespace field names with the field set's name") @@ -288,7 +288,7 @@ def test_calculate_final_values(self): def test_dashed_name_cleanup(self): details = {'field_details': {'node_name': '@time.stamp_'}} finalizer.field_finalizer(details, []) - self.assertEqual(details['field_details']['dashed_name'], '-time-stamp-') + self.assertEqual(details['field_details']['dashed_name'], 'time-stamp-') # field_group_at_path From e27a9487b2b6b8c1717849e02e5fe03cefc640bf Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 2 Dec 2020 16:21:19 -0500 Subject: [PATCH 51/90] [1.x] Tracing fields should be at the root (#1165) * Add notice to the tracing field set, about not nesting field names. (#1162) * Tracing fields should be at top level in Beats artifact (#1164) --- CHANGELOG.next.md | 5 ++ code/go/ecs/tracing.go | 3 + docs/field-details.asciidoc | 2 + experimental/generated/beats/fields.ecs.yml | 61 +++++++++------------ experimental/generated/ecs/ecs_nested.yml | 6 +- generated/beats/fields.ecs.yml | 61 +++++++++------------ generated/ecs/ecs_nested.yml | 6 +- schemas/tracing.yml | 7 ++- scripts/generators/beats.py | 5 ++ 9 files changed, 83 insertions(+), 73 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index f87d61f45f..39dc9a5a05 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -30,6 +30,8 @@ Thanks, you're awesome :-) --> #### Bugfixes +* `tracing` fields should be at root of Beats `fields.ecs.yml` artifacts. #1164 + #### Added * Added the `path` key when type is `alias`, to support the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). #877 @@ -41,6 +43,9 @@ Thanks, you're awesome :-) --> #### Improvements +* Added a notice highlighting that the `tracing` fields are not nested under the + namespace `tracing.` #1162 + #### Deprecated diff --git a/code/go/ecs/tracing.go b/code/go/ecs/tracing.go index 16e1707065..a0f6b2508d 100644 --- a/code/go/ecs/tracing.go +++ b/code/go/ecs/tracing.go @@ -23,6 +23,9 @@ package ecs // microservice architecture all in one view. This is accomplished by tracing // all of the requests - from the initial web request in the front-end service // - to queries made through multiple back-end services. +// Unlike most field sets in ECS, the tracing fields are *not* nested under the +// field set name. In other words, the correct field name is `trace.id`, not +// `tracing.trace.id`, and so on. type Tracing struct { // Unique identifier of the trace. // A trace groups multiple events like transactions that belong together. diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 0d41f4462c..eebf2524f2 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -7187,6 +7187,8 @@ example: `tls` Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. +Unlike most field sets in ECS, the tracing fields are *not* nested under the field set name. In other words, the correct field name is `trace.id`, not `tracing.trace.id`, and so on. + [discrete] ==== Tracing Field Details diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 15f8b78a38..0501a22725 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -5212,43 +5212,34 @@ description: Normalized lowercase protocol name parsed from original string. example: tls default_field: false - - name: tracing - title: Tracing - group: 2 - description: Distributed tracing makes it possible to analyze performance throughout - a microservice architecture all in one view. This is accomplished by tracing - all of the requests - from the initial web request in the front-end service - - to queries made through multiple back-end services. - type: group - fields: - - name: span.id - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique identifier of the span within the scope of its trace. - - A span represents an operation within a transaction, such as a request to - another service, or a database query.' - example: 3ff9a8981b7ccd5a - default_field: false - - name: trace.id - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique identifier of the trace. + - name: span.id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier of the span within the scope of its trace. + + A span represents an operation within a transaction, such as a request to another + service, or a database query.' + example: 3ff9a8981b7ccd5a + default_field: false + - name: trace.id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier of the trace. - A trace groups multiple events like transactions that belong together. For - example, a user request handled by multiple inter-connected services.' - example: 4bf92f3577b34da6a3ce929d0e0e4736 - - name: transaction.id - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique identifier of the transaction within the scope of its trace. + A trace groups multiple events like transactions that belong together. For example, + a user request handled by multiple inter-connected services.' + example: 4bf92f3577b34da6a3ce929d0e0e4736 + - name: transaction.id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier of the transaction within the scope of its trace. - A transaction is the highest level of work measured within a service, such - as a request to a server.' - example: 00f067aa0ba902b7 + A transaction is the highest level of work measured within a service, such as + a request to a server.' + example: 00f067aa0ba902b7 - name: url title: URL group: 2 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index ae2bf5b32c..60deb5c23b 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -9228,10 +9228,14 @@ tls: title: TLS type: group tracing: - description: Distributed tracing makes it possible to analyze performance throughout + description: 'Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + Unlike most field sets in ECS, the tracing fields are *not* nested under the field + set name. In other words, the correct field name is `trace.id`, not `tracing.trace.id`, + and so on.' fields: span.id: dashed_name: span-id diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index d0f31c1f43..50f344720b 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5299,43 +5299,34 @@ description: Normalized lowercase protocol name parsed from original string. example: tls default_field: false - - name: tracing - title: Tracing - group: 2 - description: Distributed tracing makes it possible to analyze performance throughout - a microservice architecture all in one view. This is accomplished by tracing - all of the requests - from the initial web request in the front-end service - - to queries made through multiple back-end services. - type: group - fields: - - name: span.id - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique identifier of the span within the scope of its trace. - - A span represents an operation within a transaction, such as a request to - another service, or a database query.' - example: 3ff9a8981b7ccd5a - default_field: false - - name: trace.id - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique identifier of the trace. + - name: span.id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier of the span within the scope of its trace. + + A span represents an operation within a transaction, such as a request to another + service, or a database query.' + example: 3ff9a8981b7ccd5a + default_field: false + - name: trace.id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier of the trace. - A trace groups multiple events like transactions that belong together. For - example, a user request handled by multiple inter-connected services.' - example: 4bf92f3577b34da6a3ce929d0e0e4736 - - name: transaction.id - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique identifier of the transaction within the scope of its trace. + A trace groups multiple events like transactions that belong together. For example, + a user request handled by multiple inter-connected services.' + example: 4bf92f3577b34da6a3ce929d0e0e4736 + - name: transaction.id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier of the transaction within the scope of its trace. - A transaction is the highest level of work measured within a service, such - as a request to a server.' - example: 00f067aa0ba902b7 + A transaction is the highest level of work measured within a service, such as + a request to a server.' + example: 00f067aa0ba902b7 - name: url title: URL group: 2 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 6c05ca5aba..f1ee2ecde8 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -9316,10 +9316,14 @@ tls: title: TLS type: group tracing: - description: Distributed tracing makes it possible to analyze performance throughout + description: 'Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + Unlike most field sets in ECS, the tracing fields are *not* nested under the field + set name. In other words, the correct field name is `trace.id`, not `tracing.trace.id`, + and so on.' fields: span.id: dashed_name: span-id diff --git a/schemas/tracing.yml b/schemas/tracing.yml index fc44bd4e53..8e23514e3d 100644 --- a/schemas/tracing.yml +++ b/schemas/tracing.yml @@ -6,7 +6,12 @@ short: Fields related to distributed tracing. description: > Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. - This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + This is accomplished by tracing all of the requests - from the initial web + request in the front-end service - to queries made through multiple back-end services. + + Unlike most field sets in ECS, the tracing fields are *not* nested under the + field set name. In other words, the correct field name is `trace.id`, + not `tracing.trace.id`, and so on. type: group fields: - name: trace.id diff --git a/scripts/generators/beats.py b/scripts/generators/beats.py index 0d182b40db..fa8904c058 100644 --- a/scripts/generators/beats.py +++ b/scripts/generators/beats.py @@ -17,6 +17,11 @@ def generate(ecs_nested, ecs_version, out_dir): continue fieldset = ecs_nested[fieldset_name] + # Handle when `root:true` + if fieldset.get('root', False): + beats_fields.extend(fieldset_field_array(fieldset['fields'], df_whitelist, fieldset['prefix'])) + continue + beats_field = ecs_helpers.dict_copy_keys_ordered(fieldset, allowed_fieldset_keys) beats_field['fields'] = fieldset_field_array(fieldset['fields'], df_whitelist, fieldset['prefix']) beats_fields.append(beats_field) From 14c84c04428bf83be98d428b716b2fc33e5d2bcc Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 3 Dec 2020 10:40:42 -0600 Subject: [PATCH 52/90] [1.x] Usage of brackets for a URL containing IPv6 address (#1131) (#1168) --- CHANGELOG.next.md | 2 ++ code/go/ecs/url.go | 3 +++ docs/field-details.asciidoc | 2 ++ experimental/generated/beats/fields.ecs.yml | 6 +++++- experimental/generated/ecs/ecs_flat.yml | 5 ++++- experimental/generated/ecs/ecs_nested.yml | 6 +++++- generated/beats/fields.ecs.yml | 6 +++++- generated/ecs/ecs_flat.yml | 5 ++++- generated/ecs/ecs_nested.yml | 6 +++++- schemas/url.yml | 3 +++ 10 files changed, 38 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 39dc9a5a05..9f8ac783ad 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -22,6 +22,8 @@ Thanks, you're awesome :-) --> #### Improvements +* Note `[` and `]` bracket characters may enclose a literal IPv6 address when populating `url.domain`. #1131 + #### Deprecated ### Tooling and Artifact Changes diff --git a/code/go/ecs/url.go b/code/go/ecs/url.go index ec00f75914..d9a05e4a81 100644 --- a/code/go/ecs/url.go +++ b/code/go/ecs/url.go @@ -42,6 +42,9 @@ type Url struct { // In some cases a URL may refer to an IP and/or port directly, without a // domain name. In this case, the IP address would go to the `domain` // field. + // If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF + // RFC 2732), the `[` and `]` characters should also be captured in the + // `domain` field. Domain string `ecs:"domain"` // The highest registered url domain, stripped of the subdomain. diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index eebf2524f2..87a98e4e21 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -7276,6 +7276,8 @@ URL fields provide support for complete or partial URLs, and supports the breaki In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 0501a22725..16c38aefca 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -5253,7 +5253,11 @@ description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co - name: extension level: extended diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index a53975d700..255173741f 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -8027,7 +8027,10 @@ url.domain: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co flat_name: url.domain level: extended diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 60deb5c23b..85be996c31 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -9295,7 +9295,11 @@ url: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co flat_name: url.domain level: extended diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 50f344720b..223cc8f130 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5341,7 +5341,11 @@ description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co - name: extension level: extended diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index cfee8c876f..8ddc706a5a 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8110,7 +8110,10 @@ url.domain: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co flat_name: url.domain ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index f1ee2ecde8..c00c9c5173 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -9383,7 +9383,11 @@ url: description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field.' + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' example: www.elastic.co flat_name: url.domain ignore_above: 1024 diff --git a/schemas/url.yml b/schemas/url.yml index 0253f316e8..88a0278891 100644 --- a/schemas/url.yml +++ b/schemas/url.yml @@ -58,6 +58,9 @@ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field. example: www.elastic.co - name: registered_domain From ae5568c70aca40a83885cb6f7c4c6c1173ff8177 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Mon, 7 Dec 2020 11:30:12 -0600 Subject: [PATCH 53/90] [1.x] 6.x index template data type fallback (#1171) (#1172) --- CHANGELOG.next.md | 1 + scripts/generators/es_template.py | 25 +++++++++++- scripts/tests/test_es_template.py | 65 +++++++++++++++++++++++++++++++ 3 files changed, 90 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 9f8ac783ad..df39066ed8 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -47,6 +47,7 @@ Thanks, you're awesome :-) --> * Added a notice highlighting that the `tracing` fields are not nested under the namespace `tracing.` #1162 +* ES 6.x template data types will fallback to supported types. #1171 #### Deprecated diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py index 086d5246b9..bb56356a5a 100644 --- a/scripts/generators/es_template.py +++ b/scripts/generators/es_template.py @@ -4,6 +4,8 @@ from os.path import join from generators import ecs_helpers +from schema.cleaner import field_or_multi_field_datatype_defaults +from schema.oss import TYPE_FALLBACKS def generate(ecs_flat, ecs_version, out_dir, template_settings_file, mapping_settings_file): @@ -93,7 +95,9 @@ def generate_template_version(elasticsearch_version, mappings_section, out_dir, else: template = default_template_settings() if elasticsearch_version == 6: - template['mappings'] = {'_doc': mappings_section} + es6_mappings_section = copy.deepcopy(mappings_section) + es6_type_fallback(es6_mappings_section['properties']) + template['mappings'] = {'_doc': es6_mappings_section} else: template['mappings'] = mappings_section @@ -144,3 +148,22 @@ def default_mapping_settings(ecs_version): ], "properties": {} } + + +def es6_type_fallback(mappings): + ''' + Visits each leaf in mappings object and fallback to an + Elasticsearch 6.x supported type. + + Since a field like `wildcard` won't have the same defaults as + a `keyword` field, we must add any missing defaults. + ''' + + for (name, details) in mappings.items(): + if 'type' in details: + fallback_type = TYPE_FALLBACKS.get(details['type']) + if fallback_type: + mappings[name]['type'] = fallback_type + field_or_multi_field_datatype_defaults(mappings[name]) + if 'properties' in details: + es6_type_fallback(details['properties']) diff --git a/scripts/tests/test_es_template.py b/scripts/tests/test_es_template.py index 43ee4d276f..50142e4ff6 100644 --- a/scripts/tests/test_es_template.py +++ b/scripts/tests/test_es_template.py @@ -157,6 +157,71 @@ def test_constant_keyword_no_value(self): exp = {'type': 'constant_keyword'} self.assertEqual(es_template.entry_for(test_map), exp) + def test_es6_fallback_base_case_wildcard(self): + test_map = { + "field": { + "name": "field", + "type": "wildcard" + } + } + + exp = { + "field": { + "name": "field", + "type": "keyword", + "ignore_above": 1024 + } + } + + es_template.es6_type_fallback(test_map) + self.assertEqual(test_map, exp) + + def test_es6_fallback_recursive_case_wildcard(self): + test_map = { + "top_field": { + "properties": { + "field": { + "name": "field", + "type": "wildcard" + } + } + } + } + + exp = { + "top_field": { + "properties": { + "field": { + "name": "field", + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + + es_template.es6_type_fallback(test_map) + self.assertEqual(test_map, exp) + + def test_es6_fallback_base_case_constant_keyword(self): + test_map = { + "field": { + "name": "field", + "type": "constant_keyword" + } + } + + exp = { + "field": { + "name": "field", + "type": "keyword", + "ignore_above": 1024 + } + } + + es_template.es6_type_fallback(test_map) + self.assertEqual(test_map, exp) + if __name__ == '__main__': unittest.main() From 48e1ddc6424a7fb821ce14bed4f7076a8b1c70ed Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Mon, 7 Dec 2020 14:53:31 -0500 Subject: [PATCH 54/90] [1.x] Apply RFC 0007 stage 3 changes - multi-user (#1066) (#1175) Conflict: deleted file rfcs/text/0007-multiple-users.md as RFCs are not backported to version branches. --- CHANGELOG.next.md | 4 + docs/field-details.asciidoc | 31 +- docs/usage/user.asciidoc | 430 ++++++++++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 12 +- experimental/schemas/user.yml | 8 - generated/beats/fields.ecs.yml | 237 ++++++++++++ generated/csv/fields.csv | 36 ++ generated/ecs/ecs_flat.yml | 396 ++++++++++++++++++++ generated/ecs/ecs_nested.yml | 423 +++++++++++++++++++++ generated/elasticsearch/6/template.json | 180 +++++++++ generated/elasticsearch/7/template.json | 180 +++++++++ schemas/user.yml | 9 + 12 files changed, 1934 insertions(+), 12 deletions(-) create mode 100644 docs/usage/user.asciidoc diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index df39066ed8..2488a956e5 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -18,6 +18,8 @@ Thanks, you're awesome :-) --> * Added `event.category` "registry". #1040 * Added `event.category` "session". #1049 +* Added usage documentation for `user` fields. #1066 +* Added `user` fields at `user.effective.*`, `user.target.*` and `user.changes.*`. #1066 * Added `os.type`. #1111 #### Improvements @@ -26,6 +28,8 @@ Thanks, you're awesome :-) --> #### Deprecated +* Deprecated `host.user.*` fields for removal at the next major. #1066 + ### Tooling and Artifact Changes #### Breaking changes diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 87a98e4e21..7bfc74e85a 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -7541,6 +7541,10 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +Find additional usage and examples in the user fields <> section. + + + [discrete] ==== User Field Details @@ -7686,7 +7690,7 @@ example: `["kibana_admin", "reporting_user"]` [discrete] ==== Field Reuse -The `user` fields are expected to be nested at: `client.user`, `destination.user`, `host.user`, `server.user`, `source.user`. +The `user` fields are expected to be nested at: `client.user`, `destination.user`, `host.user`, `server.user`, `source.user`, `user.changes`, `user.effective`, `user.target`. Note also that the `user` fields may be used directly at the root of the events. @@ -7704,14 +7708,39 @@ Note also that the `user` fields may be used directly at the root of the events. // =============================================================== +| <>| beta:[ Reusing the user fields in this location is currently considered beta.] + +Fields to describe the user relevant to the event. + +// =============================================================== + + +| <>| beta:[ Reusing the user fields in this location is currently considered beta.] + +Fields to describe the user relevant to the event. + +// =============================================================== + + | <> | User's group relevant to the event. // =============================================================== +| <>| beta:[ Reusing the user fields in this location is currently considered beta.] + +Fields to describe the user relevant to the event. + +// =============================================================== + + |===== + + +include::usage/user.asciidoc[] + [[ecs-user_agent]] === User agent Fields diff --git a/docs/usage/user.asciidoc b/docs/usage/user.asciidoc new file mode 100644 index 0000000000..f1a7452af9 --- /dev/null +++ b/docs/usage/user.asciidoc @@ -0,0 +1,430 @@ +[[ecs-user-usage]] +==== Usage + +Here are the subjects covered in this page. + +* <> +* <> + +* <>, or all places user fields can appear +** <> +** <> +** <> +** <> +** <> +** <> + +* <> + +* <> + +* <> + +[discrete] +[[ecs-user-usage-categorization]] +===== Categorization + +User fields can be present in any kind of event, without affecting the event's +categorization. + +However when the event is about IAM (Identity and Account Management), +it should be categorized as follows. In this section we'll cover specifically +`event.category` and `event.type` with regards to IAM activity. Make sure to read +the <> to see all allowed +values, and read more about `event.kind` and `event.outcome`. + +NOTE: IAM activity is a bit particular in that events are expected to be assigned 2 event types. +One of them indicates the type of activity (creation, deletion, change, etc.), +and the other indicates whether a user or a group is the target of the management activity. + +Many sections of the examples below are elided, in order to focus on the categorization +of the events. + +Creation of group "test-group": + +```JSON +{ + "event": { + "kind": "event", + "category": ["iam"], <1> + "type": ["group", "creation"], <2> + "outcome": "success" + }, + "group": { "name": "test-group", ... }, + "user": { ... }, + "related": { "user": [ ... ] } +} +``` +<1> Category "iam" +<2> Both relevant event types to a group creation + +Adding "test-user" to "test-group": + +```JSON +{ + "event": { + "kind": "event", + "category": ["iam"], <1> + "type": ["user", "change"], <2> + "action": "user added to group", <3> + "outcome": "success" + }, + "user": { + ... + "target": { <4> + "name": "test-user", + "group": { "name": "test-group" } + } + }, + "related": { "user": [ ... ] } +} +``` +<1> Category "iam" +<2> Both relevant event types to a user modification +<3> `event.action` is not a categorization field, and has no mandated value. It can be populated based on source event details or by a pipeline, to ensure the event captures all subtleties of what's happening. +<4> How to use all possible user fields is detailed below. + +[discrete] +[[ecs-user-identifiers]] +===== User identifiers + +Different systems use different values for user identifiers. Here are a few pointers +to help normalize some simple cases. + +* When a system provides a composite value for the user name (e.g. DOMAINNAME\username), + capture the domain name in `user.domain` and the user name (without the domain) in `user.name`. +* When a system uses an email address as the main identifier, populate both + `user.id` and `user.email` with it. + +[discrete] +[[ecs-user-usage-field-reuse]] +===== Field reuse + +The user fields can be reused (or appear) in many places across ECS. This makes +it possible to capture many users relevant to a single event. + +Here's the full list of places where the user fields can appear: + +* `user.*` +* `user.effective.*` +* `user.target.*` +* `user.changes.*` +* `source.user.*` +* `destination.user.*` +* `client.user.*` +* `server.user.*` +* `host.user.*` (<>) + +Let's go over the meaning of each. + +The examples below will only populate `user.name` and sometimes `user.id` inside +the various `user` nestings, for readability. +However in implementations, unless otherwise noted, all `user` fields that can +reasonably be populated in each location should be populated. + +[discrete] +[[ecs-user-usage-user-at-root]] +====== User fields at the Root of an Event + +The user fields at the root of an event are used to capture the user +performing the main action described by the event. This is especially important +when there's more than one user present on the event. `user.*` fields at the root +of the event represent the user performing the action. + +In many cases, events that only mention one user should populate the user fields +at the root of the event, even if the user is not the one performing the action. + +In cases where a purpose-specific user field such as `url.username` is populated, +`user.name` should also be populated with the same user name. + +[source,json] +----------- +{ + "url": { "username": "alice" }, <1> + "user": { "name": "alice" }, <2> + "related": { "user": ["alice"] } +} +----------- +<1> Purpose-specific username field +<2> Username copied to `user.name` to establish `user.name` as a reliable baseline. + +[discrete] +[[ecs-user-usage-remote-logons]] +====== Remote Logons + +When users are crossing host boundaries, the users are captured at +`source.user` and `destination.user`. + +Examples of data sources where this is applicable: + +* Remote logons via ssh, kerberos +* Firewalls observing network traffic + +In order to align with ECS' design of having `user` at the root of the event as the +user performing the action, all `source.user` fields should be copied to `user` at the root. + +Here's an example where user "alice" logs on to another host as user "deus": + +[source,json] +----------- +{ + "user": { + "name": "alice" + }, + "source": { + "user": { + "name": "alice" + }, + "ip": "10.42.42.42" + }, + "destination": { + "user": { + "name": "deus" + }, + "ip": "10.42.42.43" + }, + "related": { "user": ["alice", "deus"] } +} +----------- + +Whenever an event source populates the `client` and `server` fields in addition +to `source` and `destination`, the user fields should be copied accordingly as well. +You can review <> to learn more about +mapping network events. + +[discrete] +[[ecs-user-usage-privilege-changes]] +====== Privilege Changes + +The `user.effective` fields are relevant when there's a privilege escalation or demotion +and it's possible to determine the user requesting/performing the escalation. + +Use the `user` fields at the root to capture who is requesting the privilege change, +and `user.effective` to capture the requested privilege level, whether or not the +privilege change was successful. + +Here are examples where this is applicable: + +* A user changing identity on a host. +** Examples: sudo, su, Run as. +* Running a program as a different user. Examples: +** A trusted user runs a specific admin command as root via a mechanism such as the Posix setuid/setgid. +** A service manager with administrator privileges starts child processes as limited + users, for security purposes (e.g. root runs Apache HTTPD as user "apache") + +In cases where the event source only gives information about the effective user +and not who requested different privileges, the `user` fields at the root of the +event should be used instead of `user.effective`. + +Here's an example of user "alice" running a command as root via sudo: + +[source,json] +----------- +{ + "user": { + "name": "alice", + "id": "1001", + "effective": { + "name": "root", + "id": "1" + } + }, + "related": { "user": ["alice", "root"] } +} +----------- + +When it's not possible (or it's prohibitive) to determine which user is requesting +different privilege levels, it's acceptable to capture the effective user at the +root of the event. Typically a privilege change event will already have happened, +for example: bob "su" as root; and subsequent events will show the root user +performing the actions. + +[discrete] +[[ecs-user-usage-iam]] +====== Identity and Access Management + +Whenever a user is performing an action that affects another user -- typically +in IAM scenarios -- the user affected by the action is captured at +`user.target`. The user performing the IAM activity is captured at the root +of the event. + +Examples of IAM activity include: + +* user-a creates or deletes user-b +* user-a modifies user-b + +In the create/delete scenarios, there's either no prior state (user creation) +or no post state (user deletion). In these cases, only `user` at the root and +`user.target` must be populated. + +Example where "root" creates user "bob": + +[source,json] +----------- +{ + "user": { + "name": "root", + "id": "1", + "target": { + "name": "bob", + "id": "1002", + ... + } + } + "related": { "user": ["bob", "root"] } +} +----------- + +When there's a change of state to an existing user, `user.target` must be used +to capture the prior state of the user, and `user.changes` should list only +the changes that were performed. + +Example where "root" renames user "bob" to "bob.barker": + +[source,json] +----------- +{ + "user": { + "name": "root", + "id": "1", + "target": { + "name": "bob", + "id": "1002" + }, + "changes": { + "name": "bob.barker" + } + }, + "related": { "user": ["bob", "bob.barker", "root"] } +} +----------- + +You'll note in the example above that unmodified attributes like the user ID are +not repeated under `user.changes.*`, since they didn't change. + +[discrete] +[[ecs-user-usage-combining]] +====== Combining IAM and Privilege Change + +We've covered above how `user.target` and `user.changes` can be used at the same time. +If privilege escalation is also present in the same IAM event, `user.effective` +should of course be used as well. + +Here's the "rename" example from the IAM section above. In the following example, +we know "alice" is escalating privileges to "root", in order to modify user "bob": + +[source,json] +----------- +{ + "user": { + "name": "alice", + "id": "1001", + "effective": { + "name": "root", + "id": "1" + }, + "target": { + "name": "bob", + "id": "1002" + }, + "changes": { + "name": "bob.barker" + } + }, + "related": { "user": ["alice", "bob", "bob.barker", "root"] } +} +----------- + +[discrete] +[[ecs-user-usage-reuse-subtleties]] +====== Subtleties around field reuse + +Most cases of field reuse in ECS are reusing a field set inside a different field set. +Two examples of this are: + +* reusing `group` in `user`, resulting in the `user.group.*` fields, or +* reusing `user` in `destination`, resulting in the `destination.user.*` fields, + which also include `destination.user.group.*`. + +The `user` fields can also be reused within `user` as different names, +representing the role of each relevant user. Examples are the `user.target.*` or `user.effective.*` fields. + +However, it's important to note that `user` fields reused within +`user` are _not carried around anywhere else_. +Let's illustrate the various permutations of what's valid and what is not. + +[options="header"] +|===== +| Field | Validity | Notes + +| `user.group.*` | Valid | Normal reuse. +| `destination.user.group.*` | Valid | The `group` reuse gets carried around when `user` is reused elsewhere. +Populate only if relevant to the event. + +| `user.target.group.*`, `user.effective.group.*`, `user.changes.group.*` +| Valid +| The `group` reuse gets carried around even when `user` is reused within itself. +Populate only if relevant to the event. + +| `destination.user.target.*`, `destination.user.effective.*`, `destination.user.changes.*` +| *Invalid* +| The `user` fields reused within `user` are not carried around anywhere else. +The same rule applies when `user` is reused under `source`, `client` and `server`. + +|===== + + +[discrete] +[[ecs-user-usage-pivoting]] +===== Pivoting via related.user + +In all events in this page, we've populated the `related.user` fields. + +Any event that has users in it should always populate the array field `related.user` +with all usernames seen in the event; including event names that appear in custom fields. +Note that this field is not a nesting of all user fields, +it's a flat array meant to contain user identifiers. + +Taking the example from `user.changes` again, we can see that no matter the role +of the each user (before/after privilege escalation, affected user, username after rename), they are all present in `related.user`: + +[source,json] +----------- +{ + "user": { + "name": "alice", + "id": "1001", + "effective": { + "name": "root", + "id": "1" + }, + "target": { + "name": "bob", + "id": "1002" + }, + "changes": { + "name": "bob.barker" + } + }, + "related": { "user": ["alice", "root", "bob", "bob.barker"] } +} +----------- + +Like the other fields in the <> field set, `related.user` is meant to facilitate +pivoting. For example, if you have a suspicion about user "bob.barker", searching +for this name in `related.user` will give you all events related to this user, whether +it's the creation / rename of the user, or events where this user was active in a system. + +[discrete] +[[ecs-user-usage-mappings]] +===== Mapping Examples + +For examples of mapping events from various sources, you can look at +https://github.com/elastic/ecs/blob/master/rfcs/text/0007-multiple-users.md#source-data[RFC 0007 in section Source Data]. + +[discrete] +[[ecs-user-usage-deprecations]] +===== Deprecations + +As of ECS 1.8, `host.user.*` fields are deprecated and will be removed at the next +major version of ECS. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 85be996c31..5072c1b3de 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -10045,25 +10045,31 @@ user: full: source.user - as: target at: user + beta: Reusing the user fields in this location is currently considered beta. full: user.target - as: effective at: user + beta: Reusing the user fields in this location is currently considered beta. full: user.effective - as: changes at: user + beta: Reusing the user fields in this location is currently considered beta. full: user.changes top_level: true reused_here: - full: user.group schema_name: group short: User's group relevant to the event. - - full: user.target + - beta: Reusing the user fields in this location is currently considered beta. + full: user.target schema_name: user short: Fields to describe the user relevant to the event. - - full: user.effective + - beta: Reusing the user fields in this location is currently considered beta. + full: user.effective schema_name: user short: Fields to describe the user relevant to the event. - - full: user.changes + - beta: Reusing the user fields in this location is currently considered beta. + full: user.changes schema_name: user short: Fields to describe the user relevant to the event. short: Fields to describe the user relevant to the event. diff --git a/experimental/schemas/user.yml b/experimental/schemas/user.yml index b2af27d5ab..89e182fbee 100644 --- a/experimental/schemas/user.yml +++ b/experimental/schemas/user.yml @@ -7,11 +7,3 @@ type: wildcard - name: email type: wildcard - reusable: - expected: - - at: user - as: target - - at: user - as: effective - - at: user - as: changes diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 223cc8f130..1caa603979 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5486,6 +5486,85 @@ provide an array that includes all of them.' type: group fields: + - name: changes.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: changes.email + level: extended + type: keyword + ignore_above: 1024 + description: User email address. + default_field: false + - name: changes.full_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: User's full name, if available. + example: Albert Einstein + default_field: false + - name: changes.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: changes.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: changes.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: changes.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + default_field: false + - name: changes.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + default_field: false + - name: changes.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Short name or login of the user. + example: albert + default_field: false + - name: changes.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: domain level: extended type: keyword @@ -5493,6 +5572,85 @@ description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' + - name: effective.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: effective.email + level: extended + type: keyword + ignore_above: 1024 + description: User email address. + default_field: false + - name: effective.full_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: User's full name, if available. + example: Albert Einstein + default_field: false + - name: effective.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: effective.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: effective.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: effective.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + default_field: false + - name: effective.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + default_field: false + - name: effective.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Short name or login of the user. + example: albert + default_field: false + - name: effective.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: email level: extended type: keyword @@ -5558,6 +5716,85 @@ description: Array of user roles at the time of the event. example: '["kibana_admin", "reporting_user"]' default_field: false + - name: target.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: target.email + level: extended + type: keyword + ignore_above: 1024 + description: User email address. + default_field: false + - name: target.full_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: User's full name, if available. + example: Albert Einstein + default_field: false + - name: target.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: target.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: target.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: target.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + default_field: false + - name: target.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + default_field: false + - name: target.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Short name or login of the user. + example: albert + default_field: false + - name: target.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: user_agent title: User agent group: 2 diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index a8fc2c7e04..cd996051dc 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -646,7 +646,31 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. 1.8.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.8.0-dev,true,url,url.username,keyword,extended,,,Username of the request. +1.8.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,user,user.changes.email,keyword,extended,,,User email address. +1.8.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,user,user.changes.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,user,user.effective.email,keyword,extended,,,User email address. +1.8.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,user,user.effective.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,user,user.email,keyword,extended,,,User email address. 1.8.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." @@ -658,6 +682,18 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.8.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +1.8.0-dev,true,user,user.target.email,keyword,extended,,,User email address. +1.8.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.8.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.8.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. +1.8.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.8.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user. +1.8.0-dev,true,user,user.target.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. 1.8.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. 1.8.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 8ddc706a5a..90d2496342 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8314,6 +8314,138 @@ url.username: normalize: [] short: Username of the request. type: keyword +user.changes.domain: + dashed_name: user-changes-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.changes.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +user.changes.email: + dashed_name: user-changes-email + description: User email address. + flat_name: user.changes.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +user.changes.full_name: + dashed_name: user-changes-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.changes.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: user.changes.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +user.changes.group.domain: + dashed_name: user-changes-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.changes.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +user.changes.group.id: + dashed_name: user-changes-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.changes.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +user.changes.group.name: + dashed_name: user-changes-group-name + description: Name of the group. + flat_name: user.changes.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +user.changes.hash: + dashed_name: user-changes-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.changes.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +user.changes.id: + dashed_name: user-changes-id + description: Unique identifier of the user. + flat_name: user.changes.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +user.changes.name: + dashed_name: user-changes-name + description: Short name or login of the user. + example: albert + flat_name: user.changes.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: user.changes.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +user.changes.roles: + dashed_name: user-changes-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: user.changes.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword user.domain: dashed_name: user-domain description: 'Name of the directory the user is a member of. @@ -8326,6 +8458,138 @@ user.domain: normalize: [] short: Name of the directory the user is a member of. type: keyword +user.effective.domain: + dashed_name: user-effective-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.effective.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +user.effective.email: + dashed_name: user-effective-email + description: User email address. + flat_name: user.effective.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +user.effective.full_name: + dashed_name: user-effective-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.effective.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: user.effective.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +user.effective.group.domain: + dashed_name: user-effective-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.effective.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +user.effective.group.id: + dashed_name: user-effective-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.effective.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +user.effective.group.name: + dashed_name: user-effective-group-name + description: Name of the group. + flat_name: user.effective.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +user.effective.hash: + dashed_name: user-effective-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.effective.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +user.effective.id: + dashed_name: user-effective-id + description: Unique identifier of the user. + flat_name: user.effective.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +user.effective.name: + dashed_name: user-effective-name + description: Short name or login of the user. + example: albert + flat_name: user.effective.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: user.effective.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +user.effective.roles: + dashed_name: user-effective-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: user.effective.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword user.email: dashed_name: user-email description: User email address. @@ -8439,6 +8703,138 @@ user.roles: - array short: Array of user roles at the time of the event. type: keyword +user.target.domain: + dashed_name: user-target-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.target.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +user.target.email: + dashed_name: user-target-email + description: User email address. + flat_name: user.target.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +user.target.full_name: + dashed_name: user-target-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.target.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: user.target.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +user.target.group.domain: + dashed_name: user-target-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.target.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +user.target.group.id: + dashed_name: user-target-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.target.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +user.target.group.name: + dashed_name: user-target-group-name + description: Name of the group. + flat_name: user.target.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +user.target.hash: + dashed_name: user-target-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.target.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +user.target.id: + dashed_name: user-target-id + description: Unique identifier of the user. + flat_name: user.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +user.target.name: + dashed_name: user-target-name + description: Short name or login of the user. + example: albert + flat_name: user.target.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: user.target.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword +user.target.roles: + dashed_name: user-target-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: user.target.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword user_agent.device.name: dashed_name: user-agent-device-name description: Name of the device. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index c00c9c5173..eaa283a9a0 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -9602,6 +9602,138 @@ user: Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.' fields: + user.changes.domain: + dashed_name: user-changes-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.changes.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + user.changes.email: + dashed_name: user-changes-email + description: User email address. + flat_name: user.changes.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + user.changes.full_name: + dashed_name: user-changes-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.changes.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: user.changes.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + user.changes.group.domain: + dashed_name: user-changes-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.changes.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + user.changes.group.id: + dashed_name: user-changes-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.changes.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + user.changes.group.name: + dashed_name: user-changes-group-name + description: Name of the group. + flat_name: user.changes.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + user.changes.hash: + dashed_name: user-changes-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.changes.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + user.changes.id: + dashed_name: user-changes-id + description: Unique identifier of the user. + flat_name: user.changes.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + user.changes.name: + dashed_name: user-changes-name + description: Short name or login of the user. + example: albert + flat_name: user.changes.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: user.changes.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + user.changes.roles: + dashed_name: user-changes-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: user.changes.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword user.domain: dashed_name: user-domain description: 'Name of the directory the user is a member of. @@ -9614,6 +9746,138 @@ user: normalize: [] short: Name of the directory the user is a member of. type: keyword + user.effective.domain: + dashed_name: user-effective-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.effective.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + user.effective.email: + dashed_name: user-effective-email + description: User email address. + flat_name: user.effective.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + user.effective.full_name: + dashed_name: user-effective-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.effective.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: user.effective.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + user.effective.group.domain: + dashed_name: user-effective-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.effective.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + user.effective.group.id: + dashed_name: user-effective-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.effective.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + user.effective.group.name: + dashed_name: user-effective-group-name + description: Name of the group. + flat_name: user.effective.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + user.effective.hash: + dashed_name: user-effective-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.effective.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + user.effective.id: + dashed_name: user-effective-id + description: Unique identifier of the user. + flat_name: user.effective.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + user.effective.name: + dashed_name: user-effective-name + description: Short name or login of the user. + example: albert + flat_name: user.effective.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: user.effective.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + user.effective.roles: + dashed_name: user-effective-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: user.effective.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword user.email: dashed_name: user-email description: User email address. @@ -9727,10 +9991,145 @@ user: - array short: Array of user roles at the time of the event. type: keyword + user.target.domain: + dashed_name: user-target-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.target.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + user.target.email: + dashed_name: user-target-email + description: User email address. + flat_name: user.target.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + user.target.full_name: + dashed_name: user-target-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.target.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: user.target.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + user.target.group.domain: + dashed_name: user-target-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.target.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + user.target.group.id: + dashed_name: user-target-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.target.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + user.target.group.name: + dashed_name: user-target-group-name + description: Name of the group. + flat_name: user.target.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + user.target.hash: + dashed_name: user-target-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.target.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + user.target.id: + dashed_name: user-target-id + description: Unique identifier of the user. + flat_name: user.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + user.target.name: + dashed_name: user-target-name + description: Short name or login of the user. + example: albert + flat_name: user.target.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: user.target.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword + user.target.roles: + dashed_name: user-target-roles + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + flat_name: user.target.roles + ignore_above: 1024 + level: extended + name: roles + normalize: + - array + original_fieldset: user + short: Array of user roles at the time of the event. + type: keyword group: 2 name: user nestings: + - user.changes + - user.effective - user.group + - user.target prefix: user. reusable: expected: @@ -9749,11 +10148,35 @@ user: - as: user at: source full: source.user + - as: target + at: user + beta: Reusing the user fields in this location is currently considered beta. + full: user.target + - as: effective + at: user + beta: Reusing the user fields in this location is currently considered beta. + full: user.effective + - as: changes + at: user + beta: Reusing the user fields in this location is currently considered beta. + full: user.changes top_level: true reused_here: - full: user.group schema_name: group short: User's group relevant to the event. + - beta: Reusing the user fields in this location is currently considered beta. + full: user.target + schema_name: user + short: Fields to describe the user relevant to the event. + - beta: Reusing the user fields in this location is currently considered beta. + full: user.effective + schema_name: user + short: Fields to describe the user relevant to the event. + - beta: Reusing the user fields in this location is currently considered beta. + full: user.changes + schema_name: user + short: Fields to describe the user relevant to the event. short: Fields to describe the user relevant to the event. title: User type: group diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index e36eb3038f..bf81034aec 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -3053,10 +3053,130 @@ }, "user": { "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "email": { "ignore_above": 1024, "type": "keyword" @@ -3108,6 +3228,66 @@ "roles": { "ignore_above": 1024, "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 2abf80257d..4b94205762 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -3052,10 +3052,130 @@ }, "user": { "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "email": { "ignore_above": 1024, "type": "keyword" @@ -3107,6 +3227,66 @@ "roles": { "ignore_above": 1024, "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, diff --git a/schemas/user.yml b/schemas/user.yml index f4f10750a7..0fe7a32411 100644 --- a/schemas/user.yml +++ b/schemas/user.yml @@ -18,6 +18,15 @@ - host - server - source + - at: user + as: target + beta: Reusing the user fields in this location is currently considered beta. + - at: user + as: effective + beta: Reusing the user fields in this location is currently considered beta. + - at: user + as: changes + beta: Reusing the user fields in this location is currently considered beta. # TODO Temporarily commented out to simplify initial rewrite review From 3a22a0802999b31a9474c96a3f1c25b66892585c Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 8 Dec 2020 16:24:37 -0600 Subject: [PATCH 55/90] [1.x] Handle `error.stack_trace` case for ES 6.x template (#1176) (#1177) --- CHANGELOG.next.md | 2 +- scripts/generators/es_template.py | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 2488a956e5..641bbd272d 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -51,7 +51,7 @@ Thanks, you're awesome :-) --> * Added a notice highlighting that the `tracing` fields are not nested under the namespace `tracing.` #1162 -* ES 6.x template data types will fallback to supported types. #1171 +* ES 6.x template data types will fallback to supported types. #1171, #1176 #### Deprecated diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py index bb56356a5a..65dc871a2e 100644 --- a/scripts/generators/es_template.py +++ b/scripts/generators/es_template.py @@ -97,6 +97,13 @@ def generate_template_version(elasticsearch_version, mappings_section, out_dir, if elasticsearch_version == 6: es6_mappings_section = copy.deepcopy(mappings_section) es6_type_fallback(es6_mappings_section['properties']) + + # error.stack_trace needs special handling to set + # index: false and doc_values: false + error_stack_trace_mappings = es6_mappings_section['properties']['error']['properties']['stack_trace'] + error_stack_trace_mappings.setdefault('index', False) + error_stack_trace_mappings.setdefault('doc_values', False) + template['mappings'] = {'_doc': es6_mappings_section} else: template['mappings'] = mappings_section From ec42319058d444d13d0c1dd3cf1ed4cd70ff15eb Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 9 Dec 2020 15:46:23 -0500 Subject: [PATCH 56/90] [1.x] Add composable index templates artifacts (#1156) (#1179) --- CHANGELOG.next.md | 1 + Makefile | 2 +- .../generated/elasticsearch/7/template.json | 6 +- .../elasticsearch/component/agent.json | 43 +++ .../elasticsearch/component/base.json | 26 ++ .../elasticsearch/component/client.json | 171 +++++++++ .../elasticsearch/component/cloud.json | 72 ++++ .../elasticsearch/component/container.json | 43 +++ .../elasticsearch/component/destination.json | 171 +++++++++ .../elasticsearch/component/dll.json | 96 +++++ .../elasticsearch/component/dns.json | 89 +++++ .../elasticsearch/component/ecs.json | 20 + .../elasticsearch/component/error.json | 40 ++ .../elasticsearch/component/event.json | 109 ++++++ .../elasticsearch/component/file.json | 280 ++++++++++++++ .../elasticsearch/component/group.json | 28 ++ .../elasticsearch/component/host.json | 182 +++++++++ .../elasticsearch/component/http.json | 84 +++++ .../elasticsearch/component/log.json | 85 +++++ .../elasticsearch/component/network.json | 86 +++++ .../elasticsearch/component/observer.json | 201 ++++++++++ .../elasticsearch/component/organization.json | 29 ++ .../elasticsearch/component/package.json | 66 ++++ .../elasticsearch/component/process.json | 332 ++++++++++++++++ .../elasticsearch/component/registry.json | 45 +++ .../elasticsearch/component/related.json | 31 ++ .../elasticsearch/component/rule.json | 56 +++ .../elasticsearch/component/server.json | 171 +++++++++ .../elasticsearch/component/service.json | 48 +++ .../elasticsearch/component/source.json | 171 +++++++++ .../elasticsearch/component/threat.json | 80 ++++ .../elasticsearch/component/tls.json | 346 +++++++++++++++++ .../elasticsearch/component/tracing.json | 36 ++ .../elasticsearch/component/url.json | 78 ++++ .../elasticsearch/component/user.json | 240 ++++++++++++ .../elasticsearch/component/user_agent.json | 83 ++++ .../component/vulnerability.json | 79 ++++ .../generated/elasticsearch/template.json | 71 ++++ generated/README.md | 25 +- generated/elasticsearch/6/template.json | 6 +- generated/elasticsearch/7/template.json | 6 +- generated/elasticsearch/README.md | 145 ++++++- generated/elasticsearch/component/agent.json | 44 +++ generated/elasticsearch/component/base.json | 26 ++ generated/elasticsearch/component/client.json | 178 +++++++++ generated/elasticsearch/component/cloud.json | 72 ++++ .../elasticsearch/component/container.json | 43 +++ .../elasticsearch/component/destination.json | 178 +++++++++ generated/elasticsearch/component/dll.json | 97 +++++ generated/elasticsearch/component/dns.json | 91 +++++ generated/elasticsearch/component/ecs.json | 20 + generated/elasticsearch/component/error.json | 44 +++ generated/elasticsearch/component/event.json | 109 ++++++ generated/elasticsearch/component/file.json | 286 ++++++++++++++ generated/elasticsearch/component/group.json | 28 ++ generated/elasticsearch/component/host.json | 189 ++++++++++ generated/elasticsearch/component/http.json | 87 +++++ generated/elasticsearch/component/log.json | 87 +++++ .../elasticsearch/component/network.json | 86 +++++ .../elasticsearch/component/observer.json | 204 ++++++++++ .../elasticsearch/component/organization.json | 30 ++ .../elasticsearch/component/package.json | 66 ++++ .../elasticsearch/component/process.json | 346 +++++++++++++++++ .../elasticsearch/component/registry.json | 48 +++ .../elasticsearch/component/related.json | 31 ++ generated/elasticsearch/component/rule.json | 56 +++ generated/elasticsearch/component/server.json | 178 +++++++++ .../elasticsearch/component/service.json | 48 +++ generated/elasticsearch/component/source.json | 178 +++++++++ generated/elasticsearch/component/threat.json | 80 ++++ generated/elasticsearch/component/tls.json | 354 ++++++++++++++++++ .../elasticsearch/component/tracing.json | 36 ++ generated/elasticsearch/component/url.json | 83 ++++ generated/elasticsearch/component/user.json | 252 +++++++++++++ .../elasticsearch/component/user_agent.json | 86 +++++ .../component/vulnerability.json | 79 ++++ generated/elasticsearch/template.json | 71 ++++ scripts/generator.py | 5 +- scripts/generators/es_template.py | 160 ++++++-- 79 files changed, 7974 insertions(+), 61 deletions(-) create mode 100644 experimental/generated/elasticsearch/component/agent.json create mode 100644 experimental/generated/elasticsearch/component/base.json create mode 100644 experimental/generated/elasticsearch/component/client.json create mode 100644 experimental/generated/elasticsearch/component/cloud.json create mode 100644 experimental/generated/elasticsearch/component/container.json create mode 100644 experimental/generated/elasticsearch/component/destination.json create mode 100644 experimental/generated/elasticsearch/component/dll.json create mode 100644 experimental/generated/elasticsearch/component/dns.json create mode 100644 experimental/generated/elasticsearch/component/ecs.json create mode 100644 experimental/generated/elasticsearch/component/error.json create mode 100644 experimental/generated/elasticsearch/component/event.json create mode 100644 experimental/generated/elasticsearch/component/file.json create mode 100644 experimental/generated/elasticsearch/component/group.json create mode 100644 experimental/generated/elasticsearch/component/host.json create mode 100644 experimental/generated/elasticsearch/component/http.json create mode 100644 experimental/generated/elasticsearch/component/log.json create mode 100644 experimental/generated/elasticsearch/component/network.json create mode 100644 experimental/generated/elasticsearch/component/observer.json create mode 100644 experimental/generated/elasticsearch/component/organization.json create mode 100644 experimental/generated/elasticsearch/component/package.json create mode 100644 experimental/generated/elasticsearch/component/process.json create mode 100644 experimental/generated/elasticsearch/component/registry.json create mode 100644 experimental/generated/elasticsearch/component/related.json create mode 100644 experimental/generated/elasticsearch/component/rule.json create mode 100644 experimental/generated/elasticsearch/component/server.json create mode 100644 experimental/generated/elasticsearch/component/service.json create mode 100644 experimental/generated/elasticsearch/component/source.json create mode 100644 experimental/generated/elasticsearch/component/threat.json create mode 100644 experimental/generated/elasticsearch/component/tls.json create mode 100644 experimental/generated/elasticsearch/component/tracing.json create mode 100644 experimental/generated/elasticsearch/component/url.json create mode 100644 experimental/generated/elasticsearch/component/user.json create mode 100644 experimental/generated/elasticsearch/component/user_agent.json create mode 100644 experimental/generated/elasticsearch/component/vulnerability.json create mode 100644 experimental/generated/elasticsearch/template.json create mode 100644 generated/elasticsearch/component/agent.json create mode 100644 generated/elasticsearch/component/base.json create mode 100644 generated/elasticsearch/component/client.json create mode 100644 generated/elasticsearch/component/cloud.json create mode 100644 generated/elasticsearch/component/container.json create mode 100644 generated/elasticsearch/component/destination.json create mode 100644 generated/elasticsearch/component/dll.json create mode 100644 generated/elasticsearch/component/dns.json create mode 100644 generated/elasticsearch/component/ecs.json create mode 100644 generated/elasticsearch/component/error.json create mode 100644 generated/elasticsearch/component/event.json create mode 100644 generated/elasticsearch/component/file.json create mode 100644 generated/elasticsearch/component/group.json create mode 100644 generated/elasticsearch/component/host.json create mode 100644 generated/elasticsearch/component/http.json create mode 100644 generated/elasticsearch/component/log.json create mode 100644 generated/elasticsearch/component/network.json create mode 100644 generated/elasticsearch/component/observer.json create mode 100644 generated/elasticsearch/component/organization.json create mode 100644 generated/elasticsearch/component/package.json create mode 100644 generated/elasticsearch/component/process.json create mode 100644 generated/elasticsearch/component/registry.json create mode 100644 generated/elasticsearch/component/related.json create mode 100644 generated/elasticsearch/component/rule.json create mode 100644 generated/elasticsearch/component/server.json create mode 100644 generated/elasticsearch/component/service.json create mode 100644 generated/elasticsearch/component/source.json create mode 100644 generated/elasticsearch/component/threat.json create mode 100644 generated/elasticsearch/component/tls.json create mode 100644 generated/elasticsearch/component/tracing.json create mode 100644 generated/elasticsearch/component/url.json create mode 100644 generated/elasticsearch/component/user.json create mode 100644 generated/elasticsearch/component/user_agent.json create mode 100644 generated/elasticsearch/component/vulnerability.json create mode 100644 generated/elasticsearch/template.json diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 641bbd272d..ce5be6eab8 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -46,6 +46,7 @@ Thanks, you're awesome :-) --> * Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050 * Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051 * Added support for `constant_keyword`'s optional parameter `value`. #1112 +* Added component templates for ECS field sets. #1156 #### Improvements diff --git a/Makefile b/Makefile index 67ee219d8a..327f64b49f 100644 --- a/Makefile +++ b/Makefile @@ -34,7 +34,7 @@ check-license-headers: # Clean deletes all temporary and generated content. .PHONY: clean clean: - rm -rf build + rm -rf build generated/elasticsearch/component experimental/generated/elasticsearch/component # Clean all markdown files for use-cases find ./use-cases -type f -name '*.md' -not -name 'README.md' -print0 | xargs -0 rm -- diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 1ae21ee498..dfa18031da 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -1,11 +1,11 @@ { + "_meta": { + "version": "1.8.0-dev+exp" + }, "index_patterns": [ "try-ecs-*" ], "mappings": { - "_meta": { - "version": "1.8.0-dev+exp" - }, "date_detection": false, "dynamic_templates": [ { diff --git a/experimental/generated/elasticsearch/component/agent.json b/experimental/generated/elasticsearch/component/agent.json new file mode 100644 index 0000000000..fb5c48723d --- /dev/null +++ b/experimental/generated/elasticsearch/component/agent.json @@ -0,0 +1,43 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "type": "wildcard" + } + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/base.json b/experimental/generated/elasticsearch/component/base.json new file mode 100644 index 0000000000..f99eeef699 --- /dev/null +++ b/experimental/generated/elasticsearch/component/base.json @@ -0,0 +1,26 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "@timestamp": { + "type": "date" + }, + "labels": { + "type": "object" + }, + "message": { + "norms": false, + "type": "text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/client.json b/experimental/generated/elasticsearch/component/client.json new file mode 100644 index 0000000000..15ddc75390 --- /dev/null +++ b/experimental/generated/elasticsearch/component/client.json @@ -0,0 +1,171 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "wildcard" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "wildcard" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/cloud.json b/experimental/generated/elasticsearch/component/cloud.json new file mode 100644 index 0000000000..ff7311dafe --- /dev/null +++ b/experimental/generated/elasticsearch/component/cloud.json @@ -0,0 +1,72 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/container.json b/experimental/generated/elasticsearch/component/container.json new file mode 100644 index 0000000000..8141acb5b2 --- /dev/null +++ b/experimental/generated/elasticsearch/component/container.json @@ -0,0 +1,43 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/destination.json b/experimental/generated/elasticsearch/component/destination.json new file mode 100644 index 0000000000..3b26ce3896 --- /dev/null +++ b/experimental/generated/elasticsearch/component/destination.json @@ -0,0 +1,171 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "wildcard" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "wildcard" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json new file mode 100644 index 0000000000..da68f2d771 --- /dev/null +++ b/experimental/generated/elasticsearch/component/dll.json @@ -0,0 +1,96 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "dll": { + "properties": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/dns.json b/experimental/generated/elasticsearch/component/dns.json new file mode 100644 index 0000000000..5060df8227 --- /dev/null +++ b/experimental/generated/elasticsearch/component/dns.json @@ -0,0 +1,89 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "type": "wildcard" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "type": "wildcard" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/ecs.json b/experimental/generated/elasticsearch/component/ecs.json new file mode 100644 index 0000000000..244cf87db4 --- /dev/null +++ b/experimental/generated/elasticsearch/component/ecs.json @@ -0,0 +1,20 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/error.json b/experimental/generated/elasticsearch/component/error.json new file mode 100644 index 0000000000..4423a3a84c --- /dev/null +++ b/experimental/generated/elasticsearch/component/error.json @@ -0,0 +1,40 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "type": { + "type": "wildcard" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/event.json b/experimental/generated/elasticsearch/component/event.json new file mode 100644 index 0000000000..42a982b4bf --- /dev/null +++ b/experimental/generated/elasticsearch/component/event.json @@ -0,0 +1,109 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json new file mode 100644 index 0000000000..5c1b4b6057 --- /dev/null +++ b/experimental/generated/elasticsearch/component/file.json @@ -0,0 +1,280 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "type": "wildcard" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/group.json b/experimental/generated/elasticsearch/component/group.json new file mode 100644 index 0000000000..f310f5c103 --- /dev/null +++ b/experimental/generated/elasticsearch/component/group.json @@ -0,0 +1,28 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/host.json b/experimental/generated/elasticsearch/component/host.json new file mode 100644 index 0000000000..19c9898702 --- /dev/null +++ b/experimental/generated/elasticsearch/component/host.json @@ -0,0 +1,182 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "type": "wildcard" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/http.json b/experimental/generated/elasticsearch/component/http.json new file mode 100644 index 0000000000..5de0e679a7 --- /dev/null +++ b/experimental/generated/elasticsearch/component/http.json @@ -0,0 +1,84 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "type": "wildcard" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/log.json b/experimental/generated/elasticsearch/component/log.json new file mode 100644 index 0000000000..81228a61ff --- /dev/null +++ b/experimental/generated/elasticsearch/component/log.json @@ -0,0 +1,85 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "log": { + "properties": { + "file": { + "properties": { + "path": { + "type": "wildcard" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "type": "wildcard" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "integer" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/network.json b/experimental/generated/elasticsearch/component/network.json new file mode 100644 index 0000000000..c2730e72d0 --- /dev/null +++ b/experimental/generated/elasticsearch/component/network.json @@ -0,0 +1,86 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/observer.json b/experimental/generated/elasticsearch/component/observer.json new file mode 100644 index 0000000000..ad34d29bbe --- /dev/null +++ b/experimental/generated/elasticsearch/component/observer.json @@ -0,0 +1,201 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/organization.json b/experimental/generated/elasticsearch/component/organization.json new file mode 100644 index 0000000000..6af7d5ac6f --- /dev/null +++ b/experimental/generated/elasticsearch/component/organization.json @@ -0,0 +1,29 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/package.json b/experimental/generated/elasticsearch/component/package.json new file mode 100644 index 0000000000..af4633e8a4 --- /dev/null +++ b/experimental/generated/elasticsearch/component/package.json @@ -0,0 +1,66 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json new file mode 100644 index 0000000000..e082f76b26 --- /dev/null +++ b/experimental/generated/elasticsearch/component/process.json @@ -0,0 +1,332 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "type": "wildcard" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "type": "wildcard" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/registry.json b/experimental/generated/elasticsearch/component/registry.json new file mode 100644 index 0000000000..96ced2ea54 --- /dev/null +++ b/experimental/generated/elasticsearch/component/registry.json @@ -0,0 +1,45 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/related.json b/experimental/generated/elasticsearch/component/related.json new file mode 100644 index 0000000000..c1ab9d53bd --- /dev/null +++ b/experimental/generated/elasticsearch/component/related.json @@ -0,0 +1,31 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/rule.json b/experimental/generated/elasticsearch/component/rule.json new file mode 100644 index 0000000000..b41de85270 --- /dev/null +++ b/experimental/generated/elasticsearch/component/rule.json @@ -0,0 +1,56 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/server.json b/experimental/generated/elasticsearch/component/server.json new file mode 100644 index 0000000000..088a8834c9 --- /dev/null +++ b/experimental/generated/elasticsearch/component/server.json @@ -0,0 +1,171 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "wildcard" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "wildcard" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/service.json b/experimental/generated/elasticsearch/component/service.json new file mode 100644 index 0000000000..406a1b6035 --- /dev/null +++ b/experimental/generated/elasticsearch/component/service.json @@ -0,0 +1,48 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "service": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/source.json b/experimental/generated/elasticsearch/component/source.json new file mode 100644 index 0000000000..34b49ff5ac --- /dev/null +++ b/experimental/generated/elasticsearch/component/source.json @@ -0,0 +1,171 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "wildcard" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "wildcard" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json new file mode 100644 index 0000000000..fc11a704d4 --- /dev/null +++ b/experimental/generated/elasticsearch/component/threat.json @@ -0,0 +1,80 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/tls.json b/experimental/generated/elasticsearch/component/tls.json new file mode 100644 index 0000000000..b408cc9ef1 --- /dev/null +++ b/experimental/generated/elasticsearch/component/tls.json @@ -0,0 +1,346 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "type": "wildcard" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "type": "wildcard" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "type": "wildcard" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "type": "wildcard" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/tracing.json b/experimental/generated/elasticsearch/component/tracing.json new file mode 100644 index 0000000000..93d265526a --- /dev/null +++ b/experimental/generated/elasticsearch/component/tracing.json @@ -0,0 +1,36 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/url.json b/experimental/generated/elasticsearch/component/url.json new file mode 100644 index 0000000000..7c9d8e0f5b --- /dev/null +++ b/experimental/generated/elasticsearch/component/url.json @@ -0,0 +1,78 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "url": { + "properties": { + "domain": { + "type": "wildcard" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "type": "wildcard" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/user.json b/experimental/generated/elasticsearch/component/user.json new file mode 100644 index 0000000000..b06e2205dd --- /dev/null +++ b/experimental/generated/elasticsearch/component/user.json @@ -0,0 +1,240 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "type": "wildcard" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/user_agent.json b/experimental/generated/elasticsearch/component/user_agent.json new file mode 100644 index 0000000000..90d6220b01 --- /dev/null +++ b/experimental/generated/elasticsearch/component/user_agent.json @@ -0,0 +1,83 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/component/vulnerability.json b/experimental/generated/elasticsearch/component/vulnerability.json new file mode 100644 index 0000000000..9b1b6c0289 --- /dev/null +++ b/experimental/generated/elasticsearch/component/vulnerability.json @@ -0,0 +1,79 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html", + "ecs_version": "1.8.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/template.json b/experimental/generated/elasticsearch/template.json new file mode 100644 index 0000000000..44ea72094d --- /dev/null +++ b/experimental/generated/elasticsearch/template.json @@ -0,0 +1,71 @@ +{ + "_meta": { + "description": "Sample composable template that includes all ECS fields", + "ecs_version": "1.8.0-dev+exp" + }, + "composed_of": [ + "ecs_1.8.0-dev-exp_agent", + "ecs_1.8.0-dev-exp_base", + "ecs_1.8.0-dev-exp_client", + "ecs_1.8.0-dev-exp_cloud", + "ecs_1.8.0-dev-exp_container", + "ecs_1.8.0-dev-exp_destination", + "ecs_1.8.0-dev-exp_dll", + "ecs_1.8.0-dev-exp_dns", + "ecs_1.8.0-dev-exp_ecs", + "ecs_1.8.0-dev-exp_error", + "ecs_1.8.0-dev-exp_event", + "ecs_1.8.0-dev-exp_file", + "ecs_1.8.0-dev-exp_group", + "ecs_1.8.0-dev-exp_host", + "ecs_1.8.0-dev-exp_http", + "ecs_1.8.0-dev-exp_log", + "ecs_1.8.0-dev-exp_network", + "ecs_1.8.0-dev-exp_observer", + "ecs_1.8.0-dev-exp_organization", + "ecs_1.8.0-dev-exp_package", + "ecs_1.8.0-dev-exp_process", + "ecs_1.8.0-dev-exp_registry", + "ecs_1.8.0-dev-exp_related", + "ecs_1.8.0-dev-exp_rule", + "ecs_1.8.0-dev-exp_server", + "ecs_1.8.0-dev-exp_service", + "ecs_1.8.0-dev-exp_source", + "ecs_1.8.0-dev-exp_threat", + "ecs_1.8.0-dev-exp_tls", + "ecs_1.8.0-dev-exp_tracing", + "ecs_1.8.0-dev-exp_url", + "ecs_1.8.0-dev-exp_user", + "ecs_1.8.0-dev-exp_user_agent", + "ecs_1.8.0-dev-exp_vulnerability" + ], + "index_patterns": [ + "try-ecs-*" + ], + "priority": 1, + "template": { + "mappings": { + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ] + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": 2000 + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/README.md b/generated/README.md index 3972963bae..89b5f34a98 100644 --- a/generated/README.md +++ b/generated/README.md @@ -4,23 +4,26 @@ Various kinds of files or programs can be generated directly based on ECS. In this directory, you'll find the following: -* `beats/fields.ecs.yml`: The YAML field definition file used by Beats to import ECS in it's broader - field schema. +* [beats/fields.ecs.yml](beats/fields.ecs.yml): The YAML field definition file + used by **Beats to import ECS** in it's broader field schema. This might also + be useful to community Beats maintainers. -* `csv/fields.csv`: A csv file you can use to import ECS field definitions -in a spreadsheet. +* [csv/fields.csv](csv/fields.csv): A csv file you can use to import ECS field + definitions in a **spreadsheet**. GitHub's csv rendering lets you filter + the fields, too. -* `ecs/*.yml`: These are the files you should use, if you need to consume ECS - programmatically. This repo's artifact generators all operate based off of one - of these two representations (documentation, csv, Elasticsearch - template, etc). +* [ecs/\*.yml](ecs/): These are the files to use when you need to **consume ECS + programmatically**. The code generating the other ECS artifacts all operate on one + of these two representations (documentation, csv, Elasticsearch template, etc). The two files are the fully fleshed out representation of ECS: default values are filled in, all fields being reused elsewhere are made explicit, additional attributes are computed. -* `elasticsearch/{6,7}/template.json`: Sample Elasticsearch templates to get - started using ECS. Check out how to use them in - [generated/elasticsearch/README.md](elasticsearch). +* [elasticsearch/](elasticsearch#readme): Reference Elasticsearch **component templates** + and a sample legacy all-in-one template to get started using ECS. + Check out how to use them in [elasticsearch/README.md](elasticsearch#readme). + Note that you can customize the content of these templates by following the + instructions in [USAGE.md](/USAGE.md) If you'd like to share your own generator with the ECS community, you're welcome to look at our [contribution guidelines](/CONTRIBUTING.md), and then at the diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index bf81034aec..fa8b315edc 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1,12 +1,12 @@ { + "_meta": { + "version": "1.8.0-dev" + }, "index_patterns": [ "try-ecs-*" ], "mappings": { "_doc": { - "_meta": { - "version": "1.8.0-dev" - }, "date_detection": false, "dynamic_templates": [ { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 4b94205762..2de32c5500 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1,11 +1,11 @@ { + "_meta": { + "version": "1.8.0-dev" + }, "index_patterns": [ "try-ecs-*" ], "mappings": { - "_meta": { - "version": "1.8.0-dev" - }, "date_detection": false, "dynamic_templates": [ { diff --git a/generated/elasticsearch/README.md b/generated/elasticsearch/README.md index 40579d141c..4ad26d45dd 100644 --- a/generated/elasticsearch/README.md +++ b/generated/elasticsearch/README.md @@ -6,9 +6,16 @@ point for experimentation. When you're ready to customize this template to the precise needs of your use case, please check out [USAGE.md](../../USAGE.md). -## Notes on index naming +The component index templates described below should be considered reference templates for ECS. -This sample Elasticsearch template will apply to any index named `try-ecs-*`. +The composable template that brings them together, and the legacy all-in-one index +template should be considered sample templates. Both of them include all ECS fields, +which is great for experimentation, but is not actually recommended. The best practice +is to craft your index templates to contain only the field you needs. + +## Index naming + +These sample Elasticsearch templates will apply to any index named `try-ecs-*`. This is good for experimentation. Note that an index following ECS can be named however you need. There's no requirement @@ -16,27 +23,155 @@ to have "ecs" in the index name. ## Instructions +Elasticsearch 7.8 introduced +[composable index templates](https://www.elastic.co/guide/en/elasticsearch/reference/current/index-templates.html) +as the new default way to craft index templates. + +The following instructions let you use either approach. + +### Composable and component index templates + +**Warning**: The artifacts based on composable templates are newly introduced in the ECS repository. +Please try them out and give us feedback if you encounter any issues. + +If you want to play with a specific version of ECS, check out the proper branch first. +Note that the composable index templates are available in the ECS 1.7 branch or newer. + +``` +git checkout 1.7 +``` + +First load all component templates in Elasticsearch. The following script creates +one reusable component template per ECS field set (one for "event" fields, one for "base" fields, etc.) + +They will be named according to the following naming convention: `_component_template/ecs_{ecs version}_{field set name}`. + +Authenticate your API calls appropriately by adjusting the username:password in this variable. + +```bash +auth="elastic:elastic" +``` + +```bash +version="$(cat version)" +for file in `ls generated/elasticsearch/component/*.json` +do + fieldset=`echo $file | cut -d/ -f4 | cut -d. -f1` + component_name="ecs_${version}_${fieldset}" + api="_component_template/${component_name}" + + # echo "$file => $api" + curl --user "$auth" -XPUT "localhost:9200/$api" --header "Content-Type: application/json" -d @"$file" +done +``` + +A component template for each ECS field set is now loaded. You could stop here and +craft a composable template with the settings you need, which loads only the ECS +fields your index needs via `composed_of`. You can look at [template.json](template.json) for an example. + +If you'd like, you can load a sample composable template that contains all ECS fields, +for experimentation: + +```bash +api="_index_template/try-ecs" +file="generated/elasticsearch/template.json" +curl --user "$auth" -XPUT "localhost:9200/$api" --header "Content-Type: application/json" -d @"$file" +``` + +#### Play from Kibana Dev Tools + +``` +# Look at the ECS component templates 👀 +GET _component_template/ecs_* +# And if you created the sample index template +GET _index_template/try-ecs + +# index a document +PUT try-ecs-test +GET try-ecs-test +POST try-ecs-test/_doc +{ "@timestamp": "2020-10-26T22:38:39.000Z", "message": "Hello ECS World", "host": { "ip": "10.42.42.42"} } + +# enjoy +GET try-ecs-test/_search +{ "query": { "term": { "host.ip": "10.0.0.0/8" } } } +``` + +#### How to compose templates + +Most event sources should include the ECS basics: + +- base +- ecs +- event +- log + +Most event sources should also include fields that capture "where it's happening", +but depending on whether you use containers or the cloud, you may want to omit some in this list: + +- host (actually don't omit this one) +- container +- cloud + +Depending on whether the index contains events captured by an agent or an observer, include one or both of: + +- agent +- observer + +Most of the other field sets will depend on which kind of documents will be in your index. + +If the documents refer to network-related events, you'll likely want to pick among: + +- client & server +- source & destination +- network +- dns, http, tls + +If users are involved in the events: + +- user +- group + +And so on. + +For a concrete example, an index containing your web server logs, should contain at least: + +- base, ecs, event, log +- host, cloud and/or container as needed +- agent +- source, destination, client, server, network, http, tls +- user +- url, user\_agent + +### Legacy index templates + If you want to play with a specific version of ECS, check out the proper branch first. ``` git checkout 1.6 ``` +Authenticate your API calls appropriately by adjusting the username:password in this variable. + +```bash +auth="elastic:elastic" +``` + Load the template in Elasticsearch from your shell. ```bash # Elasticsearch 7 -curl -XPOST 'localhost:9200/_template/try-ecs' \ +curl --user $"$auth" -XPOST 'localhost:9200/_template/try-ecs' \ --header "Content-Type: application/json" \ -d @'generated/elasticsearch/7/template.json' # or Elasticsearch 6 -curl -XPOST 'localhost:9200/_template/try-ecs' \ +curl --user $"$auth" -XPOST 'localhost:9200/_template/try-ecs' \ --header "Content-Type: application/json" \ -d @'generated/elasticsearch/6/template.json' ``` -Play from Kibana Dev Tools +#### Play from Kibana Dev Tools ``` # Look at the template you just uploaded 👀 diff --git a/generated/elasticsearch/component/agent.json b/generated/elasticsearch/component/agent.json new file mode 100644 index 0000000000..c130016bbd --- /dev/null +++ b/generated/elasticsearch/component/agent.json @@ -0,0 +1,44 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/base.json b/generated/elasticsearch/component/base.json new file mode 100644 index 0000000000..5f5c1db363 --- /dev/null +++ b/generated/elasticsearch/component/base.json @@ -0,0 +1,26 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "@timestamp": { + "type": "date" + }, + "labels": { + "type": "object" + }, + "message": { + "norms": false, + "type": "text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/client.json b/generated/elasticsearch/component/client.json new file mode 100644 index 0000000000..5dde7cdb39 --- /dev/null +++ b/generated/elasticsearch/component/client.json @@ -0,0 +1,178 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/cloud.json b/generated/elasticsearch/component/cloud.json new file mode 100644 index 0000000000..4f232454c4 --- /dev/null +++ b/generated/elasticsearch/component/cloud.json @@ -0,0 +1,72 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/container.json b/generated/elasticsearch/component/container.json new file mode 100644 index 0000000000..38eca1d7f2 --- /dev/null +++ b/generated/elasticsearch/component/container.json @@ -0,0 +1,43 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/destination.json b/generated/elasticsearch/component/destination.json new file mode 100644 index 0000000000..1a24a18e99 --- /dev/null +++ b/generated/elasticsearch/component/destination.json @@ -0,0 +1,178 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json new file mode 100644 index 0000000000..e630a76c71 --- /dev/null +++ b/generated/elasticsearch/component/dll.json @@ -0,0 +1,97 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "dll": { + "properties": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/dns.json b/generated/elasticsearch/component/dns.json new file mode 100644 index 0000000000..42d21fc551 --- /dev/null +++ b/generated/elasticsearch/component/dns.json @@ -0,0 +1,91 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/ecs.json b/generated/elasticsearch/component/ecs.json new file mode 100644 index 0000000000..f0236e672f --- /dev/null +++ b/generated/elasticsearch/component/ecs.json @@ -0,0 +1,20 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/error.json b/generated/elasticsearch/component/error.json new file mode 100644 index 0000000000..d22a07231f --- /dev/null +++ b/generated/elasticsearch/component/error.json @@ -0,0 +1,44 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "doc_values": false, + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/event.json b/generated/elasticsearch/component/event.json new file mode 100644 index 0000000000..85c990900f --- /dev/null +++ b/generated/elasticsearch/component/event.json @@ -0,0 +1,109 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json new file mode 100644 index 0000000000..cf1324a4f2 --- /dev/null +++ b/generated/elasticsearch/component/file.json @@ -0,0 +1,286 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/group.json b/generated/elasticsearch/component/group.json new file mode 100644 index 0000000000..381724c510 --- /dev/null +++ b/generated/elasticsearch/component/group.json @@ -0,0 +1,28 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json new file mode 100644 index 0000000000..3dbbb8e51a --- /dev/null +++ b/generated/elasticsearch/component/host.json @@ -0,0 +1,189 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/http.json b/generated/elasticsearch/component/http.json new file mode 100644 index 0000000000..26b934b372 --- /dev/null +++ b/generated/elasticsearch/component/http.json @@ -0,0 +1,87 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/log.json b/generated/elasticsearch/component/log.json new file mode 100644 index 0000000000..b73467cc7b --- /dev/null +++ b/generated/elasticsearch/component/log.json @@ -0,0 +1,87 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "integer" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/network.json b/generated/elasticsearch/component/network.json new file mode 100644 index 0000000000..7310610229 --- /dev/null +++ b/generated/elasticsearch/component/network.json @@ -0,0 +1,86 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/observer.json b/generated/elasticsearch/component/observer.json new file mode 100644 index 0000000000..a4678c7862 --- /dev/null +++ b/generated/elasticsearch/component/observer.json @@ -0,0 +1,204 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/organization.json b/generated/elasticsearch/component/organization.json new file mode 100644 index 0000000000..8f912778be --- /dev/null +++ b/generated/elasticsearch/component/organization.json @@ -0,0 +1,30 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/package.json b/generated/elasticsearch/component/package.json new file mode 100644 index 0000000000..c15e8d6c91 --- /dev/null +++ b/generated/elasticsearch/component/package.json @@ -0,0 +1,66 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json new file mode 100644 index 0000000000..51f03ac672 --- /dev/null +++ b/generated/elasticsearch/component/process.json @@ -0,0 +1,346 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/registry.json b/generated/elasticsearch/component/registry.json new file mode 100644 index 0000000000..f6dea3211e --- /dev/null +++ b/generated/elasticsearch/component/registry.json @@ -0,0 +1,48 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/related.json b/generated/elasticsearch/component/related.json new file mode 100644 index 0000000000..39b205f4c2 --- /dev/null +++ b/generated/elasticsearch/component/related.json @@ -0,0 +1,31 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/rule.json b/generated/elasticsearch/component/rule.json new file mode 100644 index 0000000000..735200cd82 --- /dev/null +++ b/generated/elasticsearch/component/rule.json @@ -0,0 +1,56 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/server.json b/generated/elasticsearch/component/server.json new file mode 100644 index 0000000000..0d7e1a95ec --- /dev/null +++ b/generated/elasticsearch/component/server.json @@ -0,0 +1,178 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/service.json b/generated/elasticsearch/component/service.json new file mode 100644 index 0000000000..eb2e6517b3 --- /dev/null +++ b/generated/elasticsearch/component/service.json @@ -0,0 +1,48 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "service": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/source.json b/generated/elasticsearch/component/source.json new file mode 100644 index 0000000000..ae6db3d20f --- /dev/null +++ b/generated/elasticsearch/component/source.json @@ -0,0 +1,178 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json new file mode 100644 index 0000000000..bf0ecc3778 --- /dev/null +++ b/generated/elasticsearch/component/threat.json @@ -0,0 +1,80 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/tls.json b/generated/elasticsearch/component/tls.json new file mode 100644 index 0000000000..8eec703977 --- /dev/null +++ b/generated/elasticsearch/component/tls.json @@ -0,0 +1,354 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/tracing.json b/generated/elasticsearch/component/tracing.json new file mode 100644 index 0000000000..bce8899078 --- /dev/null +++ b/generated/elasticsearch/component/tracing.json @@ -0,0 +1,36 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/url.json b/generated/elasticsearch/component/url.json new file mode 100644 index 0000000000..89cd68c6bd --- /dev/null +++ b/generated/elasticsearch/component/url.json @@ -0,0 +1,83 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/user.json b/generated/elasticsearch/component/user.json new file mode 100644 index 0000000000..b9c0ca72c3 --- /dev/null +++ b/generated/elasticsearch/component/user.json @@ -0,0 +1,252 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/user_agent.json b/generated/elasticsearch/component/user_agent.json new file mode 100644 index 0000000000..1dfe0dc08e --- /dev/null +++ b/generated/elasticsearch/component/user_agent.json @@ -0,0 +1,86 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/component/vulnerability.json b/generated/elasticsearch/component/vulnerability.json new file mode 100644 index 0000000000..cd04fb1f4e --- /dev/null +++ b/generated/elasticsearch/component/vulnerability.json @@ -0,0 +1,79 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html", + "ecs_version": "1.8.0-dev" + }, + "template": { + "mappings": { + "properties": { + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/generated/elasticsearch/template.json b/generated/elasticsearch/template.json new file mode 100644 index 0000000000..2405e0a28d --- /dev/null +++ b/generated/elasticsearch/template.json @@ -0,0 +1,71 @@ +{ + "_meta": { + "description": "Sample composable template that includes all ECS fields", + "ecs_version": "1.8.0-dev" + }, + "composed_of": [ + "ecs_1.8.0-dev_agent", + "ecs_1.8.0-dev_base", + "ecs_1.8.0-dev_client", + "ecs_1.8.0-dev_cloud", + "ecs_1.8.0-dev_container", + "ecs_1.8.0-dev_destination", + "ecs_1.8.0-dev_dll", + "ecs_1.8.0-dev_dns", + "ecs_1.8.0-dev_ecs", + "ecs_1.8.0-dev_error", + "ecs_1.8.0-dev_event", + "ecs_1.8.0-dev_file", + "ecs_1.8.0-dev_group", + "ecs_1.8.0-dev_host", + "ecs_1.8.0-dev_http", + "ecs_1.8.0-dev_log", + "ecs_1.8.0-dev_network", + "ecs_1.8.0-dev_observer", + "ecs_1.8.0-dev_organization", + "ecs_1.8.0-dev_package", + "ecs_1.8.0-dev_process", + "ecs_1.8.0-dev_registry", + "ecs_1.8.0-dev_related", + "ecs_1.8.0-dev_rule", + "ecs_1.8.0-dev_server", + "ecs_1.8.0-dev_service", + "ecs_1.8.0-dev_source", + "ecs_1.8.0-dev_threat", + "ecs_1.8.0-dev_tls", + "ecs_1.8.0-dev_tracing", + "ecs_1.8.0-dev_url", + "ecs_1.8.0-dev_user", + "ecs_1.8.0-dev_user_agent", + "ecs_1.8.0-dev_vulnerability" + ], + "index_patterns": [ + "try-ecs-*" + ], + "priority": 1, + "template": { + "mappings": { + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ] + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": 2000 + } + } + } + } + } +} \ No newline at end of file diff --git a/scripts/generator.py b/scripts/generator.py index 40d63e94cb..5a1dc24724 100644 --- a/scripts/generator.py +++ b/scripts/generator.py @@ -42,7 +42,7 @@ def main(): # ecs_helpers.yaml_dump('ecs.yml', fields) # Detect usage of experimental changes to tweak artifact version label - if loader.EXPERIMENTAL_SCHEMA_DIR in args.include: + if args.include and loader.EXPERIMENTAL_SCHEMA_DIR in args.include: ecs_version += "+exp" fields = loader.load_schemas(ref=args.ref, included_files=args.include) @@ -57,7 +57,8 @@ def main(): exit() csv_generator.generate(flat, ecs_version, out_dir) - es_template.generate(flat, ecs_version, out_dir, args.template_settings, args.mapping_settings) + es_template.generate(nested, ecs_version, out_dir, args.mapping_settings) + es_template.generate_legacy(flat, ecs_version, out_dir, args.template_settings, args.mapping_settings) beats.generate(nested, ecs_version, out_dir) if args.include or args.subset: exit() diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py index 65dc871a2e..2b7f6e6f58 100644 --- a/scripts/generators/es_template.py +++ b/scripts/generators/es_template.py @@ -1,44 +1,136 @@ +import copy import json import sys -import copy from os.path import join + from generators import ecs_helpers from schema.cleaner import field_or_multi_field_datatype_defaults from schema.oss import TYPE_FALLBACKS -def generate(ecs_flat, ecs_version, out_dir, template_settings_file, mapping_settings_file): +# Composable Template + +def generate(ecs_nested, ecs_version, out_dir, mapping_settings_file): + """This generates all artifacts for the composable template approach""" + all_component_templates(ecs_nested, ecs_version, out_dir) + component_names = component_name_convention(ecs_version, ecs_nested) + save_composable_template(ecs_version, component_names, out_dir, mapping_settings_file) + + +def save_composable_template(ecs_version, component_names, out_dir, mapping_settings_file): + """Generate the master sample composable template""" + template = { + "index_patterns": ["try-ecs-*"], + "composed_of": component_names, + "priority": 1, # Very low, as this is a sample template + "_meta": { + "ecs_version": ecs_version, + "description": "Sample composable template that includes all ECS fields" + }, + "template": { + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": 2000 + } + } + } + }, + "mappings": mapping_settings(mapping_settings_file) + } + } + filename = join(out_dir, "elasticsearch/template.json") + save_json(filename, template) + + +def all_component_templates(ecs_nested, ecs_version, out_dir): + """Generate one component template per field set""" + component_dir = join(out_dir, 'elasticsearch/component') + ecs_helpers.make_dirs(component_dir) + + for (fieldset_name, fieldset) in candidate_components(ecs_nested).items(): + field_mappings = {} + for (flat_name, field) in fieldset['fields'].items(): + name_parts = flat_name.split('.') + dict_add_nested(field_mappings, name_parts, entry_for(field)) + + save_component_template(fieldset_name, ecs_version, component_dir, field_mappings) + + +def save_component_template(template_name, ecs_version, out_dir, field_mappings): + filename = join(out_dir, template_name) + ".json" + reference_url = "https://www.elastic.co/guide/en/ecs/current/ecs-{}.html".format(template_name) + + template = { + 'template': {'mappings': {'properties': field_mappings}}, + '_meta': { + 'ecs_version': ecs_version, + 'documentation': reference_url + } + } + save_json(filename, template) + + +def component_name_convention(ecs_version, ecs_nested): + version = ecs_version.replace('+', '-') + names = [] + for (fieldset_name, fieldset) in candidate_components(ecs_nested).items(): + names.append("ecs_{}_{}".format(version, fieldset_name)) + return names + + +def candidate_components(ecs_nested): + """Returns same structure as ecs_nested, but skips all field sets with reusable.top_level: False""" + components = {} + for (fieldset_name, fieldset) in ecs_nested.items(): + if fieldset.get('reusable', None): + if not fieldset['reusable']['top_level']: + continue + components[fieldset_name] = fieldset + return components + + +# Legacy template + + +def generate_legacy(ecs_flat, ecs_version, out_dir, template_settings_file, mapping_settings_file): + """Generate the legacy index template""" field_mappings = {} for flat_name in sorted(ecs_flat): field = ecs_flat[flat_name] - nestings = flat_name.split('.') - dict_add_nested(field_mappings, nestings, entry_for(field)) - - if mapping_settings_file: - with open(mapping_settings_file) as f: - mappings_section = json.load(f) - else: - mappings_section = default_mapping_settings(ecs_version) + name_parts = flat_name.split('.') + dict_add_nested(field_mappings, name_parts, entry_for(field)) + mappings_section = mapping_settings(mapping_settings_file) mappings_section['properties'] = field_mappings - generate_template_version(6, mappings_section, out_dir, template_settings_file) - generate_template_version(7, mappings_section, out_dir, template_settings_file) + generate_legacy_template_version(6, ecs_version, mappings_section, out_dir, template_settings_file) + generate_legacy_template_version(7, ecs_version, mappings_section, out_dir, template_settings_file) + + +def generate_legacy_template_version(es_version, ecs_version, mappings_section, out_dir, template_settings_file): + ecs_helpers.make_dirs(join(out_dir, 'elasticsearch', str(es_version))) + template = template_settings(es_version, ecs_version, mappings_section, template_settings_file) -# Field mappings + filename = join(out_dir, "elasticsearch/{}/template.json".format(es_version)) + save_json(filename, template) + + +# Common helpers -def dict_add_nested(dct, nestings, value): - current_nesting = nestings[0] - rest_nestings = nestings[1:] - if len(rest_nestings) > 0: +def dict_add_nested(dct, name_parts, value): + current_nesting = name_parts[0] + rest_name_parts = name_parts[1:] + if len(rest_name_parts) > 0: dct.setdefault(current_nesting, {}) dct[current_nesting].setdefault('properties', {}) dict_add_nested( dct[current_nesting]['properties'], - rest_nestings, + rest_name_parts, value) else: @@ -84,17 +176,23 @@ def entry_for(field): raise ex return field_entry -# Generated files + +def mapping_settings(mapping_settings_file): + if mapping_settings_file: + with open(mapping_settings_file) as f: + mappings = json.load(f) + else: + mappings = default_mapping_settings() + return mappings -def generate_template_version(elasticsearch_version, mappings_section, out_dir, template_settings_file): - ecs_helpers.make_dirs(join(out_dir, 'elasticsearch', str(elasticsearch_version))) +def template_settings(es_version, ecs_version, mappings_section, template_settings_file): if template_settings_file: with open(template_settings_file) as f: template = json.load(f) else: - template = default_template_settings() - if elasticsearch_version == 6: + template = default_template_settings(ecs_version) + if es_version == 6: es6_mappings_section = copy.deepcopy(mappings_section) es6_type_fallback(es6_mappings_section['properties']) @@ -107,9 +205,7 @@ def generate_template_version(elasticsearch_version, mappings_section, out_dir, template['mappings'] = {'_doc': es6_mappings_section} else: template['mappings'] = mappings_section - - filename = join(out_dir, "elasticsearch/{}/template.json".format(elasticsearch_version)) - save_json(filename, template) + return template def save_json(file, data): @@ -120,9 +216,10 @@ def save_json(file, data): jsonfile.write(json.dumps(data, indent=2, sort_keys=True)) -def default_template_settings(): +def default_template_settings(ecs_version): return { "index_patterns": ["try-ecs-*"], + "_meta": {"version": ecs_version}, "order": 1, "settings": { "index": { @@ -133,14 +230,12 @@ def default_template_settings(): }, "refresh_interval": "5s" } - }, - "mappings": {} + } } -def default_mapping_settings(ecs_version): +def default_mapping_settings(): return { - "_meta": {"version": ecs_version}, "date_detection": False, "dynamic_templates": [ { @@ -152,8 +247,7 @@ def default_mapping_settings(ecs_version): "match_mapping_type": "string" } } - ], - "properties": {} + ] } From 5995da93c85da24061f8e9a04573922c1da68077 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 10 Dec 2020 16:31:18 -0500 Subject: [PATCH 57/90] [1.x] Move _meta section back inside mappings, in legacy templates. (#1186) (#1187) Backports the following commits to 1.x: * Move _meta section back inside mappings, in legacy templates. (#1186) This fixes an issue introduced by #1156, discovered in #1180. Composable templates support `_meta` at the template's root, but legacy templates don't. So we're just putting it back inside the mappings for legacy templates. This also fixes missing updates to the component template, after the introduction of wildcard in #1098. --- CHANGELOG.next.md | 4 ++-- .../generated/elasticsearch/7/template.json | 6 +++--- generated/elasticsearch/6/template.json | 6 +++--- generated/elasticsearch/7/template.json | 6 +++--- scripts/generators/es_template.py | 13 +++++++++---- 5 files changed, 20 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index ce5be6eab8..8ca8f9e915 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -46,13 +46,13 @@ Thanks, you're awesome :-) --> * Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050 * Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051 * Added support for `constant_keyword`'s optional parameter `value`. #1112 -* Added component templates for ECS field sets. #1156 +* Added component templates for ECS field sets. #1156, #1186 #### Improvements * Added a notice highlighting that the `tracing` fields are not nested under the namespace `tracing.` #1162 -* ES 6.x template data types will fallback to supported types. #1171, #1176 +* ES 6.x template data types will fallback to supported types. #1171, #1176, #1186 #### Deprecated diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index dfa18031da..1ae21ee498 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -1,11 +1,11 @@ { - "_meta": { - "version": "1.8.0-dev+exp" - }, "index_patterns": [ "try-ecs-*" ], "mappings": { + "_meta": { + "version": "1.8.0-dev+exp" + }, "date_detection": false, "dynamic_templates": [ { diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index fa8b315edc..bf81034aec 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1,12 +1,12 @@ { - "_meta": { - "version": "1.8.0-dev" - }, "index_patterns": [ "try-ecs-*" ], "mappings": { "_doc": { + "_meta": { + "version": "1.8.0-dev" + }, "date_detection": false, "dynamic_templates": [ { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 2de32c5500..4b94205762 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1,11 +1,11 @@ { - "_meta": { - "version": "1.8.0-dev" - }, "index_patterns": [ "try-ecs-*" ], "mappings": { + "_meta": { + "version": "1.8.0-dev" + }, "date_detection": false, "dynamic_templates": [ { diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py index 2b7f6e6f58..fb45800dce 100644 --- a/scripts/generators/es_template.py +++ b/scripts/generators/es_template.py @@ -192,19 +192,24 @@ def template_settings(es_version, ecs_version, mappings_section, template_settin template = json.load(f) else: template = default_template_settings(ecs_version) + if es_version == 6: - es6_mappings_section = copy.deepcopy(mappings_section) - es6_type_fallback(es6_mappings_section['properties']) + mappings_section = copy.deepcopy(mappings_section) + es6_type_fallback(mappings_section['properties']) # error.stack_trace needs special handling to set # index: false and doc_values: false - error_stack_trace_mappings = es6_mappings_section['properties']['error']['properties']['stack_trace'] + error_stack_trace_mappings = mappings_section['properties']['error']['properties']['stack_trace'] error_stack_trace_mappings.setdefault('index', False) error_stack_trace_mappings.setdefault('doc_values', False) - template['mappings'] = {'_doc': es6_mappings_section} + template['mappings'] = {'_doc': mappings_section} else: template['mappings'] = mappings_section + + # _meta can't be at template root in legacy templates, so moving back to mappings section + mappings_section['_meta'] = template.pop('_meta') + return template From e288c02d337db748b9d02db9154e6edad79856b8 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 10 Dec 2020 16:03:07 -0600 Subject: [PATCH 58/90] [1.x] Apply the RFC 0005 stage 2 (host metrics) changes in the experimental artifacts (#1159) (#1184) Co-authored-by: Mathieu Martin --- experimental/generated/beats/fields.ecs.yml | 46 ++++++++++++ experimental/generated/csv/fields.csv | 7 ++ experimental/generated/ecs/ecs_flat.yml | 74 +++++++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 74 +++++++++++++++++++ .../generated/elasticsearch/7/template.json | 50 +++++++++++++ .../elasticsearch/component/host.json | 50 +++++++++++++ experimental/schemas/host.yml | 61 +++++++++++++++ 7 files changed, 362 insertions(+) diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 16c38aefca..6c7bab42a6 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -2047,6 +2047,28 @@ ignore_above: 1024 description: Operating system architecture. example: x86_64 + - name: cpu.usage + level: extended + type: scaled_float + description: 'Percent CPU used which is normalized by the number of CPU cores + and it ranges from 0 to 1. Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1.' + scaling_factor: 1000 + default_field: false + - name: disk.read.bytes + level: extended + type: long + description: The total number of bytes (gauge) read successfully (aggregated + from all disks) since the last metric collection. + default_field: false + - name: disk.write.bytes + level: extended + type: long + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + default_field: false - name: domain level: extended type: keyword @@ -2143,6 +2165,30 @@ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: network.egress.bytes + level: extended + type: long + description: The number of bytes (gauge) sent out on all network interfaces + by the host since the last metric collection. + default_field: false + - name: network.egress.packets + level: extended + type: long + description: The number of packets (gauge) sent out on all network interfaces + by the host since the last metric collection. + default_field: false + - name: network.ingress.bytes + level: extended + type: long + description: The number of bytes received (gauge) on all network interfaces + by the host since the last metric collection. + default_field: false + - name: network.ingress.packets + level: extended + type: long + description: The number of packets (gauge) received on all network interfaces + by the host since the last metric collection. + default_field: false - name: os.family level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 2c83d5823d..1912a88568 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -230,6 +230,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group. 1.8.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +1.8.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +1.8.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +1.8.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. 1.8.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. 1.8.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. 1.8.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. @@ -244,6 +247,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses. 1.8.0-dev+exp,true,host,host.mac,keyword,core,array,,Host mac addresses. 1.8.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host. +1.8.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +1.8.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +1.8.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +1.8.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. 1.8.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 1.8.0-dev+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.8.0-dev+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 255173741f..9f8aa0a1b6 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3182,6 +3182,40 @@ host.architecture: normalize: [] short: Operating system architecture. type: keyword +host.cpu.usage: + dashed_name: host-cpu-usage + description: 'Percent CPU used which is normalized by the number of CPU cores and + it ranges from 0 to 1. Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the two + cores, between 0 and 1.' + flat_name: host.cpu.usage + level: extended + name: cpu.usage + normalize: [] + scaling_factor: 1000 + short: Percent CPU used, between 0 and 1. + type: scaled_float +host.disk.read.bytes: + dashed_name: host-disk-read-bytes + description: The total number of bytes (gauge) read successfully (aggregated from + all disks) since the last metric collection. + flat_name: host.disk.read.bytes + level: extended + name: disk.read.bytes + normalize: [] + short: The number of bytes read by all disks. + type: long +host.disk.write.bytes: + dashed_name: host-disk-write-bytes + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.disk.write.bytes + level: extended + name: disk.write.bytes + normalize: [] + short: The number of bytes written on all disks. + type: long host.domain: dashed_name: host-domain description: 'Name of the domain of which the host is a member. @@ -3355,6 +3389,46 @@ host.name: normalize: [] short: Name of the host. type: keyword +host.network.egress.bytes: + dashed_name: host-network-egress-bytes + description: The number of bytes (gauge) sent out on all network interfaces by the + host since the last metric collection. + flat_name: host.network.egress.bytes + level: extended + name: network.egress.bytes + normalize: [] + short: The number of bytes sent on all network interfaces. + type: long +host.network.egress.packets: + dashed_name: host-network-egress-packets + description: The number of packets (gauge) sent out on all network interfaces by + the host since the last metric collection. + flat_name: host.network.egress.packets + level: extended + name: network.egress.packets + normalize: [] + short: The number of packets sent on all network interfaces. + type: long +host.network.ingress.bytes: + dashed_name: host-network-ingress-bytes + description: The number of bytes received (gauge) on all network interfaces by the + host since the last metric collection. + flat_name: host.network.ingress.bytes + level: extended + name: network.ingress.bytes + normalize: [] + short: The number of bytes received on all network interfaces. + type: long +host.network.ingress.packets: + dashed_name: host-network-ingress-packets + description: The number of packets (gauge) received on all network interfaces by + the host since the last metric collection. + flat_name: host.network.ingress.packets + level: extended + name: network.ingress.packets + normalize: [] + short: The number of packets received on all network interfaces. + type: long host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 5072c1b3de..f6c475532c 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -3843,6 +3843,40 @@ host: normalize: [] short: Operating system architecture. type: keyword + host.cpu.usage: + dashed_name: host-cpu-usage + description: 'Percent CPU used which is normalized by the number of CPU cores + and it ranges from 0 to 1. Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1.' + flat_name: host.cpu.usage + level: extended + name: cpu.usage + normalize: [] + scaling_factor: 1000 + short: Percent CPU used, between 0 and 1. + type: scaled_float + host.disk.read.bytes: + dashed_name: host-disk-read-bytes + description: The total number of bytes (gauge) read successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.disk.read.bytes + level: extended + name: disk.read.bytes + normalize: [] + short: The number of bytes read by all disks. + type: long + host.disk.write.bytes: + dashed_name: host-disk-write-bytes + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.disk.write.bytes + level: extended + name: disk.write.bytes + normalize: [] + short: The number of bytes written on all disks. + type: long host.domain: dashed_name: host-domain description: 'Name of the domain of which the host is a member. @@ -4018,6 +4052,46 @@ host: normalize: [] short: Name of the host. type: keyword + host.network.egress.bytes: + dashed_name: host-network-egress-bytes + description: The number of bytes (gauge) sent out on all network interfaces + by the host since the last metric collection. + flat_name: host.network.egress.bytes + level: extended + name: network.egress.bytes + normalize: [] + short: The number of bytes sent on all network interfaces. + type: long + host.network.egress.packets: + dashed_name: host-network-egress-packets + description: The number of packets (gauge) sent out on all network interfaces + by the host since the last metric collection. + flat_name: host.network.egress.packets + level: extended + name: network.egress.packets + normalize: [] + short: The number of packets sent on all network interfaces. + type: long + host.network.ingress.bytes: + dashed_name: host-network-ingress-bytes + description: The number of bytes received (gauge) on all network interfaces + by the host since the last metric collection. + flat_name: host.network.ingress.bytes + level: extended + name: network.ingress.bytes + normalize: [] + short: The number of bytes received on all network interfaces. + type: long + host.network.ingress.packets: + dashed_name: host-network-ingress-packets + description: The number of packets (gauge) received on all network interfaces + by the host since the last metric collection. + flat_name: host.network.ingress.packets + level: extended + name: network.ingress.packets + normalize: [] + short: The number of packets received on all network interfaces. + type: long host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 1ae21ee498..0fe6ffed2b 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -1046,6 +1046,32 @@ "ignore_above": 1024, "type": "keyword" }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" @@ -1102,6 +1128,30 @@ "ignore_above": 1024, "type": "keyword" }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, "os": { "properties": { "family": { diff --git a/experimental/generated/elasticsearch/component/host.json b/experimental/generated/elasticsearch/component/host.json index 19c9898702..72a4bf410b 100644 --- a/experimental/generated/elasticsearch/component/host.json +++ b/experimental/generated/elasticsearch/component/host.json @@ -12,6 +12,32 @@ "ignore_above": 1024, "type": "keyword" }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" @@ -68,6 +94,30 @@ "ignore_above": 1024, "type": "keyword" }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, "os": { "properties": { "family": { diff --git a/experimental/schemas/host.yml b/experimental/schemas/host.yml index 91f3d1bbc2..1185d03e0b 100644 --- a/experimental/schemas/host.yml +++ b/experimental/schemas/host.yml @@ -2,3 +2,64 @@ fields: - name: hostname type: wildcard + + # RFC 0005 + - name: cpu.usage + type: scaled_float + scaling_factor: 1000 + level: extended + short: Percent CPU used, between 0 and 1. + description: > + Percent CPU used which is normalized by the number of CPU cores and it + ranges from 0 to 1. Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1. + + - name: network.ingress.bytes + type: long + level: extended + short: The number of bytes received on all network interfaces. + description: > + The number of bytes received (gauge) on all network interfaces by the + host since the last metric collection. + + - name: network.ingress.packets + type: long + level: extended + short: The number of packets received on all network interfaces. + description: > + The number of packets (gauge) received on all network interfaces by the + host since the last metric collection. + + - name: network.egress.bytes + type: long + level: extended + short: The number of bytes sent on all network interfaces. + description: > + The number of bytes (gauge) sent out on all network interfaces by the + host since the last metric collection. + + - name: network.egress.packets + type: long + level: extended + short: The number of packets sent on all network interfaces. + description: > + The number of packets (gauge) sent out on all network interfaces by the + host since the last metric collection. + + - name: disk.read.bytes + type: long + level: extended + short: The number of bytes read by all disks. + description: > + The total number of bytes (gauge) read successfully (aggregated from all + disks) since the last metric collection. + + - name: disk.write.bytes + type: long + level: extended + short: The number of bytes written on all disks. + description: > + The total number of bytes (gauge) written successfully (aggregated from + all disks) since the last metric collection. From 0e94d2df1bedb300d11c8c485c313eed23af1f95 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 10 Dec 2020 16:39:00 -0600 Subject: [PATCH 59/90] [1.x] Stage 3 changes for wildcard RFC 0001 (#1098) (#1183) --- code/go/ecs/event.go | 4 +- docs/field-details.asciidoc | 314 ++++++---- experimental/generated/beats/fields.ecs.yml | 3 +- experimental/generated/ecs/ecs_flat.yml | 205 ++++++- experimental/generated/ecs/ecs_nested.yml | 219 ++++++- experimental/schemas/agent.yml | 5 - experimental/schemas/as.yml | 5 - experimental/schemas/client.yml | 7 - experimental/schemas/destination.yml | 7 - experimental/schemas/dns.yml | 9 - experimental/schemas/error.yml | 9 - experimental/schemas/file.yml | 9 - experimental/schemas/geo.yml | 5 - experimental/schemas/host.yml | 3 - experimental/schemas/http.yml | 9 - experimental/schemas/log.yml | 7 - experimental/schemas/organization.yml | 5 - experimental/schemas/os.yml | 7 - experimental/schemas/pe.yml | 5 - experimental/schemas/process.yml | 15 - experimental/schemas/registry.yml | 9 - experimental/schemas/server.yml | 7 - experimental/schemas/source.yml | 7 - experimental/schemas/tls.yml | 11 - experimental/schemas/url.yml | 13 - experimental/schemas/user.yml | 9 - experimental/schemas/user_agent.yml | 5 - experimental/schemas/x509.yml | 7 - generated/beats/fields.ecs.yml | 328 ++++------- generated/csv/fields.csv | 204 +++---- generated/ecs/ecs_flat.yml | 510 +++++++++------- generated/ecs/ecs_nested.yml | 545 +++++++++++------- generated/elasticsearch/7/template.json | 305 ++++------ generated/elasticsearch/component/agent.json | 3 +- generated/elasticsearch/component/client.json | 21 +- .../elasticsearch/component/destination.json | 21 +- generated/elasticsearch/component/dll.json | 3 +- generated/elasticsearch/component/dns.json | 6 +- generated/elasticsearch/component/error.json | 8 +- generated/elasticsearch/component/file.json | 18 +- generated/elasticsearch/component/host.json | 21 +- generated/elasticsearch/component/http.json | 9 +- generated/elasticsearch/component/log.json | 6 +- .../elasticsearch/component/observer.json | 9 +- .../elasticsearch/component/organization.json | 3 +- .../elasticsearch/component/process.json | 42 +- .../elasticsearch/component/registry.json | 9 +- generated/elasticsearch/component/server.json | 21 +- generated/elasticsearch/component/source.json | 21 +- generated/elasticsearch/component/tls.json | 24 +- generated/elasticsearch/component/url.json | 15 +- generated/elasticsearch/component/user.json | 36 +- .../elasticsearch/component/user_agent.json | 9 +- schemas/agent.yml | 3 +- schemas/as.yml | 3 +- schemas/client.yml | 6 +- schemas/destination.yml | 6 +- schemas/dns.yml | 6 +- schemas/error.yml | 7 +- schemas/event.yml | 4 +- schemas/file.yml | 9 +- schemas/geo.yml | 3 +- schemas/host.yml | 3 +- schemas/http.yml | 9 +- schemas/log.yml | 6 +- schemas/organization.yml | 3 +- schemas/os.yml | 6 +- schemas/pe.yml | 3 +- schemas/process.yml | 18 +- schemas/registry.yml | 9 +- schemas/server.yml | 6 +- schemas/source.yml | 6 +- schemas/tls.yml | 12 +- schemas/url.yml | 15 +- schemas/user.yml | 9 +- schemas/user_agent.yml | 3 +- schemas/x509.yml | 6 +- use-cases/auditbeat.md | 4 +- use-cases/filebeat-apache-access.md | 4 +- use-cases/kubernetes.md | 2 +- use-cases/metricbeat.md | 2 +- use-cases/web-logs.md | 6 +- 82 files changed, 1797 insertions(+), 1499 deletions(-) delete mode 100644 experimental/schemas/agent.yml delete mode 100644 experimental/schemas/as.yml delete mode 100644 experimental/schemas/client.yml delete mode 100644 experimental/schemas/destination.yml delete mode 100644 experimental/schemas/dns.yml delete mode 100644 experimental/schemas/error.yml delete mode 100644 experimental/schemas/file.yml delete mode 100644 experimental/schemas/geo.yml delete mode 100644 experimental/schemas/http.yml delete mode 100644 experimental/schemas/log.yml delete mode 100644 experimental/schemas/organization.yml delete mode 100644 experimental/schemas/os.yml delete mode 100644 experimental/schemas/pe.yml delete mode 100644 experimental/schemas/process.yml delete mode 100644 experimental/schemas/registry.yml delete mode 100644 experimental/schemas/server.yml delete mode 100644 experimental/schemas/source.yml delete mode 100644 experimental/schemas/tls.yml delete mode 100644 experimental/schemas/url.yml delete mode 100644 experimental/schemas/user.yml delete mode 100644 experimental/schemas/user_agent.yml delete mode 100644 experimental/schemas/x509.yml diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go index affd9c8250..1dfdf696c4 100644 --- a/code/go/ecs/event.go +++ b/code/go/ecs/event.go @@ -132,7 +132,9 @@ type Event struct { // Raw text message of entire event. Used to demonstrate log integrity. // This field is not indexed and doc_values are disabled. It cannot be - // searched, but it can be retrieved from `_source`. + // searched, but it can be retrieved from `_source`. If users wish to + // override this and index this field, consider using the wildcard data + // type. Original string `ecs:"original"` // Hash (perhaps logstash fingerprint) of raw field to be able to diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 7bfc74e85a..90fec37b2b 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -115,11 +115,13 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha [[field-agent-build-original]] <> -| Extended build information for the agent. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. -type: keyword +type: wildcard @@ -255,9 +257,11 @@ example: `15169` [[field-as-organization-name]] <> -| Organization name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Organization name. + +type: wildcard Multi-fields: @@ -341,9 +345,11 @@ example: `184` [[field-client-domain]] <> -| Client domain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Client domain. + +type: wildcard @@ -457,13 +463,15 @@ type: long [[field-client-registered-domain]] <> -| The highest registered client domain, stripped of the subdomain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: keyword +type: wildcard @@ -1015,9 +1023,11 @@ example: `184` [[field-destination-domain]] <> -| Destination domain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Destination domain. + +type: wildcard @@ -1131,13 +1141,15 @@ type: long [[field-destination-registered-domain]] <> -| The highest registered destination domain, stripped of the subdomain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: keyword +type: wildcard @@ -1378,11 +1390,13 @@ example: `IN` [[field-dns-answers-data]] <> -| The data describing the resource. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The data describing the resource. The meaning of this data depends on the type and class of the resource record. -type: keyword +type: wildcard @@ -1515,11 +1529,13 @@ example: `IN` [[field-dns-question-name]] <> -| The name being queried. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. -type: keyword +type: wildcard @@ -1762,9 +1778,11 @@ type: text [[field-error-stack-trace]] <> -| The stack trace of this error in plain text. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +The stack trace of this error in plain text. + +type: wildcard Multi-fields: @@ -1784,9 +1802,11 @@ Multi-fields: [[field-error-type]] <> -| The type of the error, for example the class name of the exception. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +The type of the error, for example the class name of the exception. + +type: wildcard @@ -2059,7 +2079,7 @@ example: `apache` | Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, consider using the wildcard data type. type: keyword @@ -2423,9 +2443,11 @@ example: `sda` [[field-file-directory]] <> -| Directory where the file is located. It should include the drive letter, when appropriate. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Directory where the file is located. It should include the drive letter, when appropriate. + +type: wildcard @@ -2603,9 +2625,11 @@ example: `alice` [[field-file-path]] <> -| Full path to the file, including the file name. It should include the drive letter, when appropriate. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Full path to the file, including the file name. It should include the drive letter, when appropriate. + +type: wildcard Multi-fields: @@ -2643,9 +2667,11 @@ example: `16384` [[field-file-target-path]] <> -| Target path for symlinks. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Target path for symlinks. + +type: wildcard Multi-fields: @@ -2838,13 +2864,15 @@ example: `{ "lon": -73.614830, "lat": 45.505918 }` [[field-geo-name]] <> -| User-defined description of a location, at the level of granularity they care about. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: keyword +type: wildcard @@ -3120,11 +3148,13 @@ example: `CONTOSO` [[field-host-hostname]] <> -| Hostname of the host. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Hostname of the host. It normally contains what the `hostname` command returns on the host machine. -type: keyword +type: wildcard @@ -3317,9 +3347,11 @@ example: `887` [[field-http-request-body-content]] <> -| The full HTTP request body. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +The full HTTP request body. + +type: wildcard Multi-fields: @@ -3395,9 +3427,11 @@ example: `image/gif` [[field-http-request-referrer]] <> -| Referrer for this HTTP request. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Referrer for this HTTP request. + +type: wildcard @@ -3427,9 +3461,11 @@ example: `887` [[field-http-response-body-content]] <> -| The full HTTP response body. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +The full HTTP response body. + +type: wildcard Multi-fields: @@ -3609,11 +3645,13 @@ The details specific to your event source are typically not logged under `log.*` [[field-log-file-path]] <> -| Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. -type: keyword +type: wildcard @@ -3647,9 +3685,11 @@ example: `error` [[field-log-logger]] <> -| The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + +type: wildcard @@ -4443,9 +4483,11 @@ type: keyword [[field-organization-name]] <> -| Organization name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Organization name. + +type: wildcard Multi-fields: @@ -4497,9 +4539,11 @@ example: `debian` [[field-os-full]] <> -| Operating system name, including the version or code name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Operating system name, including the version or code name. + +type: wildcard Multi-fields: @@ -4535,9 +4579,11 @@ example: `4.4.0-112-generic` [[field-os-name]] <> -| Operating system name, without the version. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Operating system name, without the version. + +type: wildcard Multi-fields: @@ -4947,9 +4993,11 @@ example: `0c6803c4e922103c4dca5963aad36ddf` [[field-pe-original-file-name]] <> -| Internal name of the file, provided at compile-time. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Internal name of the file, provided at compile-time. + +type: wildcard @@ -5046,11 +5094,13 @@ example: `4` [[field-process-command-line]] <> -| Full command line that started the process, including the absolute path to the executable, and all arguments. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: keyword +type: wildcard Multi-fields: @@ -5090,9 +5140,11 @@ example: `c2c455d9f99375d` [[field-process-executable]] <> -| Absolute path to the process executable. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Absolute path to the process executable. + +type: wildcard Multi-fields: @@ -5130,11 +5182,13 @@ example: `137` [[field-process-name]] <> -| Process name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Process name. Sometimes called program name or similar. -type: keyword +type: wildcard Multi-fields: @@ -5234,9 +5288,11 @@ example: `4242` [[field-process-thread-name]] <> -| Thread name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Thread name. + +type: wildcard @@ -5250,11 +5306,13 @@ example: `thread-0` [[field-process-title]] <> -| Process title. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: keyword +type: wildcard Multi-fields: @@ -5290,9 +5348,11 @@ example: `1325` [[field-process-working-directory]] <> -| The working directory of the process. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +The working directory of the process. + +type: wildcard Multi-fields: @@ -5393,11 +5453,13 @@ example: `ZQBuAC0AVQBTAAAAZQBuAAAAAAA=` [[field-registry-data-strings]] <> -| Content when writing string types. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: keyword +type: wildcard Note: this field should contain an array of values. @@ -5446,9 +5508,11 @@ example: `HKLM` [[field-registry-key]] <> -| Hive-relative path of keys. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Hive-relative path of keys. + +type: wildcard @@ -5462,9 +5526,11 @@ example: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti [[field-registry-path]] <> -| Full path, including hive, key and value +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Full path, including hive, key and value + +type: wildcard @@ -5827,9 +5893,11 @@ example: `184` [[field-server-domain]] <> -| Server domain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Server domain. + +type: wildcard @@ -5943,13 +6011,15 @@ type: long [[field-server-registered-domain]] <> -| The highest registered server domain, stripped of the subdomain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: keyword +type: wildcard @@ -6238,9 +6308,11 @@ example: `184` [[field-source-domain]] <> -| Source domain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Source domain. + +type: wildcard @@ -6354,13 +6426,15 @@ type: long [[field-source-registered-domain]] <> -| The highest registered source domain, stripped of the subdomain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: keyword +type: wildcard @@ -6779,9 +6853,11 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` [[field-tls-client-issuer]] <> -| Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + +type: wildcard @@ -6859,9 +6935,11 @@ example: `www.elastic.co` [[field-tls-client-subject]] <> -| Distinguished name of subject of the x.509 certificate presented by the client. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Distinguished name of subject of the x.509 certificate presented by the client. + +type: wildcard @@ -7041,9 +7119,11 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` [[field-tls-server-issuer]] <> -| Subject of the issuer of the x.509 certificate presented by the server. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Subject of the issuer of the x.509 certificate presented by the server. + +type: wildcard @@ -7105,9 +7185,11 @@ example: `1970-01-01T00:00:00.000Z` [[field-tls-server-subject]] <> -| Subject of the x.509 certificate presented by the server. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Subject of the x.509 certificate presented by the server. + +type: wildcard @@ -7272,13 +7354,15 @@ URL fields provide support for complete or partial URLs, and supports the breaki [[field-url-domain]] <> -| Domain of the url, such as "www.elastic.co". +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. -type: keyword +type: wildcard @@ -7332,9 +7416,11 @@ type: keyword [[field-url-full]] <> -| If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: wildcard Multi-fields: @@ -7354,13 +7440,15 @@ example: `https://www.elastic.co:443/search?q=elasticsearch#top` [[field-url-original]] <> -| Unmodified original url as seen in the event source. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: keyword +type: wildcard Multi-fields: @@ -7396,9 +7484,11 @@ type: keyword [[field-url-path]] <> -| Path of the request, such as "/search". +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Path of the request, such as "/search". + +type: wildcard @@ -7446,13 +7536,15 @@ type: keyword [[field-url-registered-domain]] <> -| The highest registered url domain, stripped of the subdomain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: keyword +type: wildcard @@ -7576,9 +7668,11 @@ type: keyword [[field-user-email]] <> -| User email address. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +User email address. + +type: wildcard @@ -7592,9 +7686,11 @@ type: keyword [[field-user-full-name]] <> -| User's full name, if available. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +User's full name, if available. + +type: wildcard Multi-fields: @@ -7648,9 +7744,11 @@ type: keyword [[field-user-name]] <> -| Short name or login of the user. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Short name or login of the user. + +type: wildcard Multi-fields: @@ -7793,9 +7891,11 @@ example: `Safari` [[field-user-agent-original]] <> -| Unparsed user_agent string. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Unparsed user_agent string. + +type: wildcard Multi-fields: @@ -8240,9 +8340,11 @@ example: `US` [[field-x509-issuer-distinguished-name]] <> -| Distinguished name (DN) of issuing certificate authority. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Distinguished name (DN) of issuing certificate authority. + +type: wildcard @@ -8498,9 +8600,11 @@ example: `US` [[field-x509-subject-distinguished-name]] <> -| Distinguished name (DN) of the certificate subject entity. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] -type: keyword +Distinguished name (DN) of the certificate subject entity. + +type: wildcard diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 6c7bab42a6..9a58688014 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1334,7 +1334,8 @@ description: 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and + index this field, consider using the wildcard data type.' example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 index: false diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 9f8aa0a1b6..8997fffccf 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -18,6 +18,8 @@ short: Date/time when the event originated. type: date agent.build.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -128,6 +130,8 @@ client.as.number: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC @@ -155,6 +159,8 @@ client.bytes: short: Bytes sent from the client to the server. type: long client.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain @@ -223,6 +229,8 @@ client.geo.location: short: Longitude and latitude. type: geo_point client.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -328,6 +336,8 @@ client.port: short: Port of the client. type: long client.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -392,6 +402,8 @@ client.user.domain: short: Name of the directory the user is a member of. type: keyword client.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email @@ -402,6 +414,8 @@ client.user.email: short: User email address. type: wildcard client.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein @@ -479,6 +493,8 @@ client.user.id: short: Unique identifier of the user. type: keyword client.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert @@ -717,6 +733,8 @@ destination.as.number: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC @@ -744,6 +762,8 @@ destination.bytes: short: Bytes sent from the destination to the source. type: long destination.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain @@ -812,6 +832,8 @@ destination.geo.location: short: Longitude and latitude. type: geo_point destination.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -916,6 +938,8 @@ destination.port: short: Port of the destination. type: long destination.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -980,6 +1004,8 @@ destination.user.domain: short: Name of the directory the user is a member of. type: keyword destination.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email @@ -990,6 +1016,8 @@ destination.user.email: short: User email address. type: wildcard destination.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein @@ -1067,6 +1095,8 @@ destination.user.id: short: Unique identifier of the user. type: keyword destination.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert @@ -1296,6 +1326,8 @@ dll.pe.imphash: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -1349,6 +1381,8 @@ dns.answers.class: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. @@ -1449,6 +1483,8 @@ dns.question.class: short: The class of records being queried. type: keyword dns.question.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -1615,6 +1651,8 @@ error.message: short: Error message. type: text error.stack_trace: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. flat_name: error.stack_trace @@ -1629,6 +1667,8 @@ error.stack_trace: short: The stack trace of this error in plain text. type: wildcard error.type: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException @@ -2051,7 +2091,8 @@ event.original: description: 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and index + this field, consider using the wildcard data type.' doc_values: false example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 @@ -2514,6 +2555,8 @@ file.device: short: Device that is the source of the file. type: keyword file.directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. @@ -2685,6 +2728,8 @@ file.owner: short: File owner's username. type: keyword file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. @@ -2765,6 +2810,8 @@ file.pe.imphash: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -2800,6 +2847,8 @@ file.size: short: File size in bytes. type: long file.target_path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path @@ -2877,6 +2926,8 @@ file.x509.issuer.country: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -3066,6 +3117,8 @@ file.x509.subject.country: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -3290,6 +3343,8 @@ host.geo.location: short: Longitude and latitude. type: geo_point host.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3331,6 +3386,8 @@ host.geo.region_name: short: Region name. type: keyword host.hostname: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. @@ -3442,6 +3499,8 @@ host.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -3470,6 +3529,8 @@ host.os.kernel: short: Operating system kernel version as a raw string. type: keyword host.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X @@ -3565,6 +3626,8 @@ host.user.domain: short: Name of the directory the user is a member of. type: keyword host.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email @@ -3575,6 +3638,8 @@ host.user.email: short: User email address. type: wildcard host.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein @@ -3652,6 +3717,8 @@ host.user.id: short: Unique identifier of the user. type: keyword host.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert @@ -3692,6 +3759,8 @@ http.request.body.bytes: short: Size in bytes of the request body. type: long http.request.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world @@ -3751,6 +3820,8 @@ http.request.mime_type: short: Mime type of the body of the request. type: keyword http.request.referrer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ @@ -3772,6 +3843,8 @@ http.response.body.bytes: short: Size in bytes of the response body. type: long http.response.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world @@ -3851,6 +3924,8 @@ labels: short: Custom key/value pairs. type: object log.file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -3881,6 +3956,8 @@ log.level: short: Log level of the log event. type: keyword log.logger: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. @@ -4411,6 +4488,8 @@ observer.geo.location: short: Longitude and latitude. type: geo_point observer.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -4597,6 +4676,8 @@ observer.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -4625,6 +4706,8 @@ observer.os.kernel: short: Operating system kernel version as a raw string. type: keyword observer.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X @@ -4750,6 +4833,8 @@ organization.id: short: Unique identifier for the organization. type: keyword organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name @@ -5010,6 +5095,8 @@ process.code_signature.valid: content. type: boolean process.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -5047,6 +5134,8 @@ process.entity_id: short: Unique identifier for the process. type: keyword process.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -5119,6 +5208,8 @@ process.hash.sha512: short: SHA512 hash. type: keyword process.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-name description: 'Process name. @@ -5235,6 +5326,8 @@ process.parent.code_signature.valid: content. type: boolean process.parent.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -5274,6 +5367,8 @@ process.parent.entity_id: short: Unique identifier for the process. type: keyword process.parent.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -5348,6 +5443,8 @@ process.parent.hash.sha512: short: SHA512 hash. type: keyword process.parent.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-name description: 'Process name. @@ -5430,6 +5527,8 @@ process.parent.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -5511,6 +5610,8 @@ process.parent.thread.id: short: Thread ID. type: long process.parent.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 @@ -5522,6 +5623,8 @@ process.parent.thread.name: short: Thread name. type: wildcard process.parent.title: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-title description: 'Process title. @@ -5551,6 +5654,8 @@ process.parent.uptime: short: Seconds the process has been up. type: long process.parent.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice @@ -5631,6 +5736,8 @@ process.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -5707,6 +5814,8 @@ process.thread.id: short: Thread ID. type: long process.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 @@ -5717,6 +5826,8 @@ process.thread.name: short: Thread name. type: wildcard process.title: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-title description: 'Process title. @@ -5744,6 +5855,8 @@ process.uptime: short: Seconds the process has been up. type: long process.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice @@ -5774,6 +5887,8 @@ registry.data.bytes: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -5813,6 +5928,8 @@ registry.hive: short: Abbreviated name for the hive. type: keyword registry.key: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -5823,6 +5940,8 @@ registry.key: short: Hive-relative path of keys. type: wildcard registry.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution @@ -6040,6 +6159,8 @@ server.as.number: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC @@ -6067,6 +6188,8 @@ server.bytes: short: Bytes sent from the server to the client. type: long server.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain @@ -6135,6 +6258,8 @@ server.geo.location: short: Longitude and latitude. type: geo_point server.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -6240,6 +6365,8 @@ server.port: short: Port of the server. type: long server.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -6304,6 +6431,8 @@ server.user.domain: short: Name of the directory the user is a member of. type: keyword server.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email @@ -6314,6 +6443,8 @@ server.user.email: short: User email address. type: wildcard server.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein @@ -6391,6 +6522,8 @@ server.user.id: short: Unique identifier of the user. type: keyword server.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert @@ -6559,6 +6692,8 @@ source.as.number: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC @@ -6586,6 +6721,8 @@ source.bytes: short: Bytes sent from the source to the destination. type: long source.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain @@ -6654,6 +6791,8 @@ source.geo.location: short: Longitude and latitude. type: geo_point source.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -6759,6 +6898,8 @@ source.port: short: Port of the source. type: long source.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -6823,6 +6964,8 @@ source.user.domain: short: Name of the directory the user is a member of. type: keyword source.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email @@ -6833,6 +6976,8 @@ source.user.email: short: User email address. type: wildcard source.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein @@ -6910,6 +7055,8 @@ source.user.id: short: Unique identifier of the user. type: keyword source.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert @@ -7188,6 +7335,8 @@ tls.client.hash.sha256: certificate offered by the client. type: keyword tls.client.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. @@ -7246,6 +7395,8 @@ tls.client.server_name: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. @@ -7311,6 +7462,8 @@ tls.client.x509.issuer.country: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -7500,6 +7653,8 @@ tls.client.x509.subject.country: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -7690,6 +7845,8 @@ tls.server.hash.sha256: certificate offered by the server. type: keyword tls.server.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -7733,6 +7890,8 @@ tls.server.not_before: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -7784,6 +7943,8 @@ tls.server.x509.issuer.country: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -7973,6 +8134,8 @@ tls.server.x509.subject.country: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -8097,6 +8260,8 @@ transaction.id: short: Unique identifier of the transaction within the scope of its trace. type: keyword url.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -8145,6 +8310,8 @@ url.fragment: short: Portion of the url after the `#`. type: keyword url.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. @@ -8161,6 +8328,8 @@ url.full: short: Full unparsed URL. type: wildcard url.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -8191,6 +8360,8 @@ url.password: short: Password of the request. type: keyword url.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path @@ -8227,6 +8398,8 @@ url.query: short: Query string of the request. type: keyword url.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -8314,6 +8487,8 @@ user.changes.domain: short: Name of the directory the user is a member of. type: keyword user.changes.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-changes-email description: User email address. flat_name: user.changes.email @@ -8324,6 +8499,8 @@ user.changes.email: short: User email address. type: wildcard user.changes.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-changes-full-name description: User's full name, if available. example: Albert Einstein @@ -8401,6 +8578,8 @@ user.changes.id: short: Unique identifier of the user. type: keyword user.changes.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-changes-name description: Short name or login of the user. example: albert @@ -8455,6 +8634,8 @@ user.effective.domain: short: Name of the directory the user is a member of. type: keyword user.effective.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-effective-email description: User email address. flat_name: user.effective.email @@ -8465,6 +8646,8 @@ user.effective.email: short: User email address. type: wildcard user.effective.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-effective-full-name description: User's full name, if available. example: Albert Einstein @@ -8542,6 +8725,8 @@ user.effective.id: short: Unique identifier of the user. type: keyword user.effective.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-effective-name description: Short name or login of the user. example: albert @@ -8571,6 +8756,8 @@ user.effective.roles: short: Array of user roles at the time of the event. type: keyword user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email @@ -8580,6 +8767,8 @@ user.email: short: User email address. type: wildcard user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein @@ -8654,6 +8843,8 @@ user.id: short: Unique identifier of the user. type: keyword user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert @@ -8694,6 +8885,8 @@ user.target.domain: short: Name of the directory the user is a member of. type: keyword user.target.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-target-email description: User email address. flat_name: user.target.email @@ -8704,6 +8897,8 @@ user.target.email: short: User email address. type: wildcard user.target.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-target-full-name description: User's full name, if available. example: Albert Einstein @@ -8781,6 +8976,8 @@ user.target.id: short: Unique identifier of the user. type: keyword user.target.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-target-name description: Short name or login of the user. example: albert @@ -8832,6 +9029,8 @@ user_agent.name: short: Name of the user agent. type: keyword user_agent.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 @@ -8860,6 +9059,8 @@ user_agent.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -8888,6 +9089,8 @@ user_agent.os.kernel: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index f6c475532c..6d1a832021 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -8,6 +8,8 @@ agent: event happened or the measurement was taken.' fields: agent.build.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -118,6 +120,8 @@ as: short: Unique number allocated to the autonomous system. type: long as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: as-organization-name description: Organization name. example: Google LLC @@ -273,6 +277,8 @@ client: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC @@ -300,6 +306,8 @@ client: short: Bytes sent from the client to the server. type: long client.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain @@ -368,6 +376,8 @@ client: short: Longitude and latitude. type: geo_point client.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -473,6 +483,8 @@ client: short: Port of the client. type: long client.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -537,6 +549,8 @@ client: short: Name of the directory the user is a member of. type: keyword client.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email @@ -547,6 +561,8 @@ client: short: User email address. type: wildcard client.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein @@ -624,6 +640,8 @@ client: short: Unique identifier of the user. type: keyword client.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert @@ -1004,6 +1022,8 @@ destination: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC @@ -1031,6 +1051,8 @@ destination: short: Bytes sent from the destination to the source. type: long destination.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain @@ -1099,6 +1121,8 @@ destination: short: Longitude and latitude. type: geo_point destination.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -1203,6 +1227,8 @@ destination: short: Port of the destination. type: long destination.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -1267,6 +1293,8 @@ destination: short: Name of the directory the user is a member of. type: keyword destination.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email @@ -1277,6 +1305,8 @@ destination: short: User email address. type: wildcard destination.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein @@ -1354,6 +1384,8 @@ destination: short: Unique identifier of the user. type: keyword destination.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert @@ -1617,6 +1649,8 @@ dll: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -1698,6 +1732,8 @@ dns: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. @@ -1800,6 +1836,8 @@ dns: short: The class of records being queried. type: keyword dns.question.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -1987,6 +2025,8 @@ error: short: Error message. type: text error.stack_trace: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. flat_name: error.stack_trace @@ -2001,6 +2041,8 @@ error: short: The stack trace of this error in plain text. type: wildcard error.type: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException @@ -2449,7 +2491,8 @@ event: description: 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and + index this field, consider using the wildcard data type.' doc_values: false example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 @@ -2937,6 +2980,8 @@ file: short: Device that is the source of the file. type: keyword file.directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. @@ -3108,6 +3153,8 @@ file: short: File owner's username. type: keyword file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. @@ -3188,6 +3235,8 @@ file: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -3223,6 +3272,8 @@ file: short: File size in bytes. type: long file.target_path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path @@ -3300,6 +3351,8 @@ file: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -3489,6 +3542,8 @@ file: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -3648,6 +3703,8 @@ geo: short: Longitude and latitude. type: geo_point geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3952,6 +4009,8 @@ host: short: Longitude and latitude. type: geo_point host.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3993,6 +4052,8 @@ host: short: Region name. type: keyword host.hostname: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. @@ -4105,6 +4166,8 @@ host: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -4133,6 +4196,8 @@ host: short: Operating system kernel version as a raw string. type: keyword host.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X @@ -4230,6 +4295,8 @@ host: short: Name of the directory the user is a member of. type: keyword host.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email @@ -4240,6 +4307,8 @@ host: short: User email address. type: wildcard host.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein @@ -4317,6 +4386,8 @@ host: short: Unique identifier of the user. type: keyword host.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert @@ -4381,6 +4452,8 @@ http: short: Size in bytes of the request body. type: long http.request.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world @@ -4442,6 +4515,8 @@ http: short: Mime type of the body of the request. type: keyword http.request.referrer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ @@ -4463,6 +4538,8 @@ http: short: Size in bytes of the response body. type: long http.response.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world @@ -4600,6 +4677,8 @@ log: but rather in `event.*` or in other ECS fields.' fields: log.file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -4630,6 +4709,8 @@ log: short: Log level of the log event. type: keyword log.logger: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. @@ -5191,6 +5272,8 @@ observer: short: Longitude and latitude. type: geo_point observer.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -5378,6 +5461,8 @@ observer: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -5406,6 +5491,8 @@ observer: short: Operating system kernel version as a raw string. type: keyword observer.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X @@ -5571,6 +5658,8 @@ organization: short: Unique identifier for the organization. type: keyword organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name @@ -5605,6 +5694,8 @@ os: short: OS family (such as redhat, debian, freebsd, windows). type: keyword os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -5631,6 +5722,8 @@ os: short: Operating system kernel version as a raw string. type: keyword os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: os-name description: Operating system name, without the version. example: Mac OS X @@ -5930,6 +6023,8 @@ pe: short: A hash of the imports in a PE file. type: keyword pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -6073,6 +6168,8 @@ process: content. type: boolean process.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6110,6 +6207,8 @@ process: short: Unique identifier for the process. type: keyword process.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -6182,6 +6281,8 @@ process: short: SHA512 hash. type: keyword process.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-name description: 'Process name. @@ -6298,6 +6399,8 @@ process: content. type: boolean process.parent.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6337,6 +6440,8 @@ process: short: Unique identifier for the process. type: keyword process.parent.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -6411,6 +6516,8 @@ process: short: SHA512 hash. type: keyword process.parent.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-name description: 'Process name. @@ -6493,6 +6600,8 @@ process: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -6574,6 +6683,8 @@ process: short: Thread ID. type: long process.parent.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 @@ -6585,6 +6696,8 @@ process: short: Thread name. type: wildcard process.parent.title: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-title description: 'Process title. @@ -6614,6 +6727,8 @@ process: short: Seconds the process has been up. type: long process.parent.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice @@ -6694,6 +6809,8 @@ process: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -6770,6 +6887,8 @@ process: short: Thread ID. type: long process.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 @@ -6780,6 +6899,8 @@ process: short: Thread name. type: wildcard process.title: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-title description: 'Process title. @@ -6807,6 +6928,8 @@ process: short: Seconds the process has been up. type: long process.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice @@ -6870,6 +6993,8 @@ registry: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -6909,6 +7034,8 @@ registry: short: Abbreviated name for the hive. type: keyword registry.key: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -6919,6 +7046,8 @@ registry: short: Hive-relative path of keys. type: wildcard registry.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution @@ -7193,6 +7322,8 @@ server: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC @@ -7220,6 +7351,8 @@ server: short: Bytes sent from the server to the client. type: long server.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain @@ -7288,6 +7421,8 @@ server: short: Longitude and latitude. type: geo_point server.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -7393,6 +7528,8 @@ server: short: Port of the server. type: long server.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -7457,6 +7594,8 @@ server: short: Name of the directory the user is a member of. type: keyword server.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email @@ -7467,6 +7606,8 @@ server: short: User email address. type: wildcard server.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein @@ -7544,6 +7685,8 @@ server: short: Unique identifier of the user. type: keyword server.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert @@ -7756,6 +7899,8 @@ source: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC @@ -7783,6 +7928,8 @@ source: short: Bytes sent from the source to the destination. type: long source.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain @@ -7851,6 +7998,8 @@ source: short: Longitude and latitude. type: geo_point source.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -7956,6 +8105,8 @@ source: short: Port of the source. type: long source.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -8020,6 +8171,8 @@ source: short: Name of the directory the user is a member of. type: keyword source.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email @@ -8030,6 +8183,8 @@ source: short: User email address. type: wildcard source.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein @@ -8107,6 +8262,8 @@ source: short: Unique identifier of the user. type: keyword source.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert @@ -8399,6 +8556,8 @@ tls: of certificate offered by the client. type: keyword tls.client.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. @@ -8459,6 +8618,8 @@ tls: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. @@ -8525,6 +8686,8 @@ tls: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -8714,6 +8877,8 @@ tls: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -8904,6 +9069,8 @@ tls: of certificate offered by the server. type: keyword tls.server.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. @@ -8950,6 +9117,8 @@ tls: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -9001,6 +9170,8 @@ tls: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -9190,6 +9361,8 @@ tls: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -9365,6 +9538,8 @@ url: the breaking down into scheme, domain, path, and so on. fields: url.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -9414,6 +9589,8 @@ url: short: Portion of the url after the `#`. type: keyword url.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event @@ -9431,6 +9608,8 @@ url: short: Full unparsed URL. type: wildcard url.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -9461,6 +9640,8 @@ url: short: Password of the request. type: keyword url.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path @@ -9497,6 +9678,8 @@ url: short: Query string of the request. type: keyword url.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -9597,6 +9780,8 @@ user: short: Name of the directory the user is a member of. type: keyword user.changes.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-changes-email description: User email address. flat_name: user.changes.email @@ -9607,6 +9792,8 @@ user: short: User email address. type: wildcard user.changes.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-changes-full-name description: User's full name, if available. example: Albert Einstein @@ -9684,6 +9871,8 @@ user: short: Unique identifier of the user. type: keyword user.changes.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-changes-name description: Short name or login of the user. example: albert @@ -9738,6 +9927,8 @@ user: short: Name of the directory the user is a member of. type: keyword user.effective.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-effective-email description: User email address. flat_name: user.effective.email @@ -9748,6 +9939,8 @@ user: short: User email address. type: wildcard user.effective.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-effective-full-name description: User's full name, if available. example: Albert Einstein @@ -9825,6 +10018,8 @@ user: short: Unique identifier of the user. type: keyword user.effective.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-effective-name description: Short name or login of the user. example: albert @@ -9854,6 +10049,8 @@ user: short: Array of user roles at the time of the event. type: keyword user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email @@ -9863,6 +10060,8 @@ user: short: User email address. type: wildcard user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein @@ -9937,6 +10136,8 @@ user: short: Unique identifier of the user. type: keyword user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert @@ -9977,6 +10178,8 @@ user: short: Name of the directory the user is a member of. type: keyword user.target.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-target-email description: User email address. flat_name: user.target.email @@ -9987,6 +10190,8 @@ user: short: User email address. type: wildcard user.target.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-target-full-name description: User's full name, if available. example: Albert Einstein @@ -10064,6 +10269,8 @@ user: short: Unique identifier of the user. type: keyword user.target.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-target-name description: Short name or login of the user. example: albert @@ -10177,6 +10384,8 @@ user_agent: short: Name of the user agent. type: keyword user_agent.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 @@ -10205,6 +10414,8 @@ user_agent: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -10233,6 +10444,8 @@ user_agent: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X @@ -10613,6 +10826,8 @@ x509: short: List of country (C) codes type: keyword x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -10787,6 +11002,8 @@ x509: short: List of country (C) code type: keyword x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/experimental/schemas/agent.yml b/experimental/schemas/agent.yml deleted file mode 100644 index d09e77111d..0000000000 --- a/experimental/schemas/agent.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: agent - fields: - - name: build.original - type: wildcard diff --git a/experimental/schemas/as.yml b/experimental/schemas/as.yml deleted file mode 100644 index 96cf45621c..0000000000 --- a/experimental/schemas/as.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: as - fields: - - name: organization.name - type: wildcard diff --git a/experimental/schemas/client.yml b/experimental/schemas/client.yml deleted file mode 100644 index 14ed3a9a37..0000000000 --- a/experimental/schemas/client.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - - name: client - fields: - - name: domain - type: wildcard - - name: registered_domain - type: wildcard diff --git a/experimental/schemas/destination.yml b/experimental/schemas/destination.yml deleted file mode 100644 index d64a84c6be..0000000000 --- a/experimental/schemas/destination.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - - name: destination - fields: - - name: domain - type: wildcard - - name: registered_domain - type: wildcard diff --git a/experimental/schemas/dns.yml b/experimental/schemas/dns.yml deleted file mode 100644 index 466859c09f..0000000000 --- a/experimental/schemas/dns.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: dns - fields: - - name: question.name - type: wildcard - - name: answers - type: object - - name: answers.data - type: wildcard diff --git a/experimental/schemas/error.yml b/experimental/schemas/error.yml deleted file mode 100644 index f2004d3fe0..0000000000 --- a/experimental/schemas/error.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: error - fields: - - name: stack_trace - index: true - type: wildcard - - - name: type - type: wildcard diff --git a/experimental/schemas/file.yml b/experimental/schemas/file.yml deleted file mode 100644 index f4938d38be..0000000000 --- a/experimental/schemas/file.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: file - fields: - - name: directory - type: wildcard - - name: path - type: wildcard - - name: target_path - type: wildcard diff --git a/experimental/schemas/geo.yml b/experimental/schemas/geo.yml deleted file mode 100644 index d3445a5a2b..0000000000 --- a/experimental/schemas/geo.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - - name: geo - fields: - - name: name - type: wildcard diff --git a/experimental/schemas/host.yml b/experimental/schemas/host.yml index 1185d03e0b..eabc2f9af8 100644 --- a/experimental/schemas/host.yml +++ b/experimental/schemas/host.yml @@ -1,8 +1,5 @@ - name: host fields: - - name: hostname - type: wildcard - # RFC 0005 - name: cpu.usage type: scaled_float diff --git a/experimental/schemas/http.yml b/experimental/schemas/http.yml deleted file mode 100644 index 1722cdc5e7..0000000000 --- a/experimental/schemas/http.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: http - fields: - - name: request.body.content - type: wildcard - - name: request.referrer - type: wildcard - - name: response.body.content - type: wildcard diff --git a/experimental/schemas/log.yml b/experimental/schemas/log.yml deleted file mode 100644 index 8a2f2dd397..0000000000 --- a/experimental/schemas/log.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: log - fields: - - name: file.path - type: wildcard - - name: logger - type: wildcard diff --git a/experimental/schemas/organization.yml b/experimental/schemas/organization.yml deleted file mode 100644 index 594581413b..0000000000 --- a/experimental/schemas/organization.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: organization - fields: - - name: name - type: wildcard diff --git a/experimental/schemas/os.yml b/experimental/schemas/os.yml deleted file mode 100644 index ec9d71a79c..0000000000 --- a/experimental/schemas/os.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: os - fields: - - name: name - type: wildcard - - name: full - type: wildcard diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml deleted file mode 100644 index 77a0574348..0000000000 --- a/experimental/schemas/pe.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: pe - fields: - - name: original_file_name - type: wildcard diff --git a/experimental/schemas/process.yml b/experimental/schemas/process.yml deleted file mode 100644 index e759e97e86..0000000000 --- a/experimental/schemas/process.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: process - fields: - - name: command_line - type: wildcard - - name: executable - type: wildcard - - name: name - type: wildcard - - name: thread.name - type: wildcard - - name: title - type: wildcard - - name: working_directory - type: wildcard diff --git a/experimental/schemas/registry.yml b/experimental/schemas/registry.yml deleted file mode 100644 index 66f6f6b22c..0000000000 --- a/experimental/schemas/registry.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: registry - fields: - - name: key - type: wildcard - - name: path - type: wildcard - - name: data.strings - type: wildcard diff --git a/experimental/schemas/server.yml b/experimental/schemas/server.yml deleted file mode 100644 index 70c285f374..0000000000 --- a/experimental/schemas/server.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - - name: server - fields: - - name: domain - type: wildcard - - name: registered_domain - type: wildcard diff --git a/experimental/schemas/source.yml b/experimental/schemas/source.yml deleted file mode 100644 index d810a6cb79..0000000000 --- a/experimental/schemas/source.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: source - fields: - - name: domain - type: wildcard - - name: registered_domain - type: wildcard diff --git a/experimental/schemas/tls.yml b/experimental/schemas/tls.yml deleted file mode 100644 index 4f5378a313..0000000000 --- a/experimental/schemas/tls.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: tls - fields: - - name: client.issuer - type: wildcard - - name: client.subject - type: wildcard - - name: server.issuer - type: wildcard - - name: server.subject - type: wildcard diff --git a/experimental/schemas/url.yml b/experimental/schemas/url.yml deleted file mode 100644 index 0d5f66c36a..0000000000 --- a/experimental/schemas/url.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: url - fields: - - name: original - type: wildcard - - name: full - type: wildcard - - name: path - type: wildcard - - name: domain - type: wildcard - - name: registered_domain - type: wildcard diff --git a/experimental/schemas/user.yml b/experimental/schemas/user.yml deleted file mode 100644 index 89e182fbee..0000000000 --- a/experimental/schemas/user.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: user - fields: - - name: name - type: wildcard - - name: full_name - type: wildcard - - name: email - type: wildcard diff --git a/experimental/schemas/user_agent.yml b/experimental/schemas/user_agent.yml deleted file mode 100644 index c413a9d702..0000000000 --- a/experimental/schemas/user_agent.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: user_agent - fields: - - name: original - type: wildcard diff --git a/experimental/schemas/x509.yml b/experimental/schemas/x509.yml deleted file mode 100644 index d1c7d8af6b..0000000000 --- a/experimental/schemas/x509.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: x509 - fields: - - name: issuer.distinguished_name - type: wildcard - - name: subject.distinguished_name - type: wildcard diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 1caa603979..d7bb24c1bd 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -66,8 +66,7 @@ fields: - name: build.original level: core - type: keyword - ignore_above: 1024 + type: wildcard description: 'Extended build information for the agent. This field is intended to contain any build information that a data source @@ -136,8 +135,7 @@ example: 15169 - name: organization.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -183,8 +181,7 @@ example: 15169 - name: as.organization.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -200,8 +197,7 @@ example: 184 - name: domain level: core - type: keyword - ignore_above: 1024 + type: wildcard description: Client domain. - name: geo.city_name level: core @@ -234,8 +230,7 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'User-defined description of a location, at the level of granularity they care about. @@ -292,8 +287,7 @@ description: Port of the client. - name: registered_domain level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -337,13 +331,11 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. - name: user.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -384,8 +376,7 @@ description: Unique identifier of the user. - name: user.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -605,8 +596,7 @@ example: 15169 - name: as.organization.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -622,8 +612,7 @@ example: 184 - name: domain level: core - type: keyword - ignore_above: 1024 + type: wildcard description: Destination domain. - name: geo.city_name level: core @@ -656,8 +645,7 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'User-defined description of a location, at the level of granularity they care about. @@ -713,8 +701,7 @@ description: Port of the destination. - name: registered_domain level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -758,13 +745,11 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. - name: user.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -805,8 +790,7 @@ description: Unique identifier of the user. - name: user.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -961,8 +945,7 @@ default_field: false - name: pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -1005,8 +988,7 @@ example: IN - name: answers.data level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.' @@ -1065,8 +1047,7 @@ example: IN - name: question.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'The name being queried. If the name field contains non-printable characters (below 32 or above 126), @@ -1185,19 +1166,16 @@ description: Error message. - name: stack_trace level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text norms: false default_field: false description: The stack trace of this error in plain text. - index: false - name: type level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException - name: event @@ -1356,7 +1334,8 @@ description: 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and + index this field, consider using the wildcard data type.' example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 index: false @@ -1585,8 +1564,7 @@ example: sda - name: directory level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice @@ -1680,8 +1658,7 @@ example: alice - name: path level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -1731,8 +1708,7 @@ default_field: false - name: pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -1752,8 +1728,7 @@ example: 16384 - name: target_path level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -1797,8 +1772,7 @@ default_field: false - name: x509.issuer.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -1904,8 +1878,7 @@ default_field: false - name: x509.subject.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false @@ -1984,8 +1957,7 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'User-defined description of a location, at the level of granularity they care about. @@ -2118,8 +2090,7 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'User-defined description of a location, at the level of granularity they care about. @@ -2142,8 +2113,7 @@ example: Quebec - name: hostname level: core - type: keyword - ignore_above: 1024 + type: wildcard description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' @@ -2182,8 +2152,7 @@ example: debian - name: os.full level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -2199,8 +2168,7 @@ example: 4.4.0-112-generic - name: os.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -2258,13 +2226,11 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. - name: user.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -2305,8 +2271,7 @@ description: Unique identifier of the user. - name: user.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -2336,8 +2301,7 @@ example: 887 - name: request.body.content level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -2379,8 +2343,7 @@ default_field: false - name: request.referrer level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Referrer for this HTTP request. example: https://blog.example.com/ - name: response.body.bytes @@ -2391,8 +2354,7 @@ example: 887 - name: response.body.content level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -2478,8 +2440,7 @@ fields: - name: file.path level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -2500,8 +2461,7 @@ example: error - name: logger level: core - type: keyword - ignore_above: 1024 + type: wildcard description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. example: org.elasticsearch.bootstrap.Bootstrap @@ -2847,8 +2807,7 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'User-defined description of a location, at the level of granularity they care about. @@ -2956,8 +2915,7 @@ example: debian - name: os.full level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -2973,8 +2931,7 @@ example: 4.4.0-112-generic - name: os.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3057,8 +3014,7 @@ description: Unique identifier for the organization. - name: name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3079,8 +3035,7 @@ example: debian - name: full level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3096,8 +3051,7 @@ example: 4.4.0-112-generic - name: name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3277,8 +3231,7 @@ default_field: false - name: original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3362,8 +3315,7 @@ default_field: false - name: command_line level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3391,8 +3343,7 @@ default_field: false - name: executable level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3431,8 +3382,7 @@ description: SHA512 hash. - name: name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3506,8 +3456,7 @@ default_field: false - name: parent.command_line level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3535,8 +3484,7 @@ default_field: false - name: parent.executable level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3579,8 +3527,7 @@ default_field: false - name: parent.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3631,8 +3578,7 @@ default_field: false - name: parent.pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3678,15 +3624,13 @@ default_field: false - name: parent.thread.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Thread name. example: thread-0 default_field: false - name: parent.title level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3704,8 +3648,7 @@ default_field: false - name: parent.working_directory level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3754,8 +3697,7 @@ default_field: false - name: pe.original_file_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3796,14 +3738,12 @@ example: 4242 - name: thread.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Thread name. example: thread-0 - name: title level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3820,8 +3760,7 @@ example: 1325 - name: working_directory level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -3848,8 +3787,7 @@ default_field: false - name: data.strings level: core - type: keyword - ignore_above: 1024 + type: wildcard description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single @@ -3875,15 +3813,13 @@ default_field: false - name: key level: core - type: keyword - ignore_above: 1024 + type: wildcard description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - name: path level: core - type: keyword - ignore_above: 1024 + type: wildcard description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger @@ -4068,8 +4004,7 @@ example: 15169 - name: as.organization.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -4085,8 +4020,7 @@ example: 184 - name: domain level: core - type: keyword - ignore_above: 1024 + type: wildcard description: Server domain. - name: geo.city_name level: core @@ -4119,8 +4053,7 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'User-defined description of a location, at the level of granularity they care about. @@ -4177,8 +4110,7 @@ description: Port of the server. - name: registered_domain level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -4222,13 +4154,11 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. - name: user.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -4269,8 +4199,7 @@ description: Unique identifier of the user. - name: user.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -4404,8 +4333,7 @@ example: 15169 - name: as.organization.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -4421,8 +4349,7 @@ example: 184 - name: domain level: core - type: keyword - ignore_above: 1024 + type: wildcard description: Source domain. - name: geo.city_name level: core @@ -4455,8 +4382,7 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'User-defined description of a location, at the level of granularity they care about. @@ -4513,8 +4439,7 @@ description: Port of the source. - name: registered_domain level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -4558,13 +4483,11 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. - name: user.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -4605,8 +4528,7 @@ description: Unique identifier of the user. - name: user.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -4780,8 +4702,7 @@ default_field: false - name: client.issuer level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -4819,8 +4740,7 @@ default_field: false - name: client.subject level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com @@ -4858,8 +4778,7 @@ default_field: false - name: client.x509.issuer.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -4965,8 +4884,7 @@ default_field: false - name: client.x509.subject.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false @@ -5079,8 +4997,7 @@ default_field: false - name: server.issuer level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -5109,8 +5026,7 @@ default_field: false - name: server.subject level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com default_field: false @@ -5139,8 +5055,7 @@ default_field: false - name: server.x509.issuer.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -5246,8 +5161,7 @@ default_field: false - name: server.x509.subject.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false @@ -5336,8 +5250,7 @@ fields: - name: domain level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain @@ -5371,8 +5284,7 @@ The `#` is not part of the fragment.' - name: full level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5384,8 +5296,7 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top - name: original level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5405,8 +5316,7 @@ description: Password of the request. - name: path level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Path of the request, such as "/search". - name: port level: extended @@ -5427,8 +5337,7 @@ the two cases.' - name: registered_domain level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -5496,14 +5405,12 @@ default_field: false - name: changes.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. default_field: false - name: changes.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5549,8 +5456,7 @@ default_field: false - name: changes.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5582,14 +5488,12 @@ default_field: false - name: effective.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. default_field: false - name: effective.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5635,8 +5539,7 @@ default_field: false - name: effective.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5653,13 +5556,11 @@ default_field: false - name: email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. - name: full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5700,8 +5601,7 @@ description: Unique identifier of the user. - name: name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5726,14 +5626,12 @@ default_field: false - name: target.email level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: User email address. default_field: false - name: target.full_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5779,8 +5677,7 @@ default_field: false - name: target.name level: core - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5817,8 +5714,7 @@ example: Safari - name: original level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5834,8 +5730,7 @@ example: debian - name: os.full level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -5851,8 +5746,7 @@ example: 4.4.0-112-generic - name: os.name level: extended - type: keyword - ignore_above: 1024 + type: wildcard multi_fields: - name: text type: text @@ -6099,8 +5993,7 @@ default_field: false - name: issuer.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -6206,8 +6099,7 @@ default_field: false - name: subject.distinguished_name level: extended - type: keyword - ignore_above: 1024 + type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index cd996051dc..374aec3e21 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -3,7 +3,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. 1.8.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. 1.8.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -1.8.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +1.8.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. 1.8.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. 1.8.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. 1.8.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. @@ -11,16 +11,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. 1.8.0-dev,true,client,client.address,keyword,extended,,,Client network address. 1.8.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.8.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. 1.8.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. 1.8.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -1.8.0-dev,true,client,client.domain,keyword,core,,,Client domain. +1.8.0-dev,true,client,client.domain,wildcard,core,,,Client domain. 1.8.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. 1.8.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. 1.8.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.8.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. 1.8.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. 1.8.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.8.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. 1.8.0-dev,true,client,client.ip,ip,core,,,IP address of the client. @@ -29,19 +29,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port 1.8.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. 1.8.0-dev,true,client,client.port,long,core,,,Port of the client. -1.8.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +1.8.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." 1.8.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. 1.8.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.8.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,client,client.user.email,keyword,extended,,,User email address. -1.8.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,client,client.user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. @@ -62,16 +62,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. 1.8.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. 1.8.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.8.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. 1.8.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. 1.8.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -1.8.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain. +1.8.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain. 1.8.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. 1.8.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. 1.8.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.8.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. 1.8.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. 1.8.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.8.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. 1.8.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. @@ -80,19 +80,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port 1.8.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. 1.8.0-dev,true,destination,destination.port,long,core,,,Port of the destination. -1.8.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +1.8.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." 1.8.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. 1.8.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.8.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address. -1.8.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. @@ -111,11 +111,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 1.8.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 1.8.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 1.8.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.8.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. 1.8.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -1.8.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. +1.8.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. 1.8.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. 1.8.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. 1.8.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. @@ -123,7 +123,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. 1.8.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. 1.8.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -1.8.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. +1.8.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. 1.8.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." 1.8.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. 1.8.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." @@ -135,9 +135,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. 1.8.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. 1.8.0-dev,true,error,error.message,text,core,,,Error message. -1.8.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text. -1.8.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. -1.8.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +1.8.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +1.8.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +1.8.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." 1.8.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. 1.8.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. 1.8.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. @@ -173,7 +173,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,file,file.created,date,extended,,,File creation time. 1.8.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. 1.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -1.8.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. +1.8.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. 1.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. 1.8.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." 1.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. @@ -188,24 +188,24 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. 1.8.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." 1.8.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. -1.8.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.8.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." 1.8.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." 1.8.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. 1.8.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." 1.8.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 1.8.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 1.8.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 1.8.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.8.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. -1.8.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks. +1.8.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. 1.8.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. 1.8.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." 1.8.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. 1.8.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). 1.8.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. 1.8.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.8.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.8.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. 1.8.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) 1.8.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. 1.8.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. @@ -220,7 +220,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. 1.8.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. 1.8.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.8.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.8.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. 1.8.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) 1.8.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. 1.8.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. @@ -236,19 +236,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.8.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. 1.8.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. 1.8.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.8.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host. +1.8.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host. 1.8.0-dev,true,host,host.id,keyword,core,,,Unique host id. 1.8.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. 1.8.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. 1.8.0-dev,true,host,host.name,keyword,core,,,Name of the host. 1.8.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.8.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.8.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.8.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.8.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." 1.8.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." @@ -256,34 +256,34 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,host,host.type,keyword,core,,,Type of host. 1.8.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. 1.8.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,host,host.user.email,keyword,extended,,,User email address. -1.8.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,host,host.user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -1.8.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body. +1.8.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. 1.8.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. 1.8.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). 1.8.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. 1.8.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -1.8.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. +1.8.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. 1.8.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -1.8.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body. +1.8.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. 1.8.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. 1.8.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). 1.8.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. 1.8.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. 1.8.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. -1.8.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +1.8.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. 1.8.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. -1.8.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +1.8.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. 1.8.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. 1.8.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. 1.8.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. @@ -322,7 +322,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.8.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. 1.8.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. 1.8.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.8.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. 1.8.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. @@ -337,10 +337,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer 1.8.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. 1.8.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.8.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.8.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.8.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.8.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." 1.8.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." @@ -351,7 +351,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. 1.8.0-dev,true,observer,observer.version,keyword,core,,,Observer version. 1.8.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -1.8.0-dev,true,organization,organization.name,keyword,extended,,,Organization name. +1.8.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name. 1.8.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. 1.8.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. 1.8.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information @@ -373,17 +373,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer 1.8.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.8.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.8.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.8.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.8.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. 1.8.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. 1.8.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. 1.8.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. 1.8.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. 1.8.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. 1.8.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. +1.8.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name. 1.8.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. 1.8.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 1.8.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. @@ -392,60 +392,60 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer 1.8.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.8.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.8.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.8.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.8.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.8.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.8.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. 1.8.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. 1.8.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. 1.8.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. 1.8.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. 1.8.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. 1.8.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name. +1.8.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name. 1.8.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. 1.8.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. 1.8.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." 1.8.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 1.8.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 1.8.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 1.8.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.8.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 1.8.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. 1.8.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. 1.8.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 1.8.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -1.8.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. -1.8.0-dev,true,process,process.parent.title,keyword,extended,,,Process title. +1.8.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. +1.8.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title. 1.8.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. 1.8.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -1.8.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. +1.8.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. 1.8.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. 1.8.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. 1.8.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." 1.8.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 1.8.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 1.8.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.8.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 1.8.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.8.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 1.8.0-dev,true,process,process.pid,long,core,,4242,Process id. 1.8.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. 1.8.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 1.8.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. -1.8.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. -1.8.0-dev,true,process,process.title,keyword,extended,,,Process title. +1.8.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. +1.8.0-dev,true,process,process.title,wildcard,extended,,,Process title. 1.8.0-dev,true,process,process.title.text,text,extended,,,Process title. 1.8.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -1.8.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. +1.8.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. 1.8.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. 1.8.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -1.8.0-dev,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.8.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. 1.8.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents 1.8.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -1.8.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -1.8.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.8.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.8.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" 1.8.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. 1.8.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. 1.8.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. @@ -463,16 +463,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version 1.8.0-dev,true,server,server.address,keyword,extended,,,Server network address. 1.8.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.8.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. 1.8.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. 1.8.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -1.8.0-dev,true,server,server.domain,keyword,core,,,Server domain. +1.8.0-dev,true,server,server.domain,wildcard,core,,,Server domain. 1.8.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. 1.8.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. 1.8.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.8.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. 1.8.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. 1.8.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.8.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. 1.8.0-dev,true,server,server.ip,ip,core,,,IP address of the server. @@ -481,19 +481,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port 1.8.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. 1.8.0-dev,true,server,server.port,long,core,,,Port of the server. -1.8.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +1.8.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." 1.8.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. 1.8.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.8.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,server,server.user.email,keyword,extended,,,User email address. -1.8.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,server,server.user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. @@ -505,16 +505,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. 1.8.0-dev,true,source,source.address,keyword,extended,,,Source network address. 1.8.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.8.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. 1.8.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. 1.8.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -1.8.0-dev,true,source,source.domain,keyword,core,,,Source domain. +1.8.0-dev,true,source,source.domain,wildcard,core,,,Source domain. 1.8.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. 1.8.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. 1.8.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.8.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. 1.8.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.8.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. 1.8.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.8.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. 1.8.0-dev,true,source,source.ip,ip,core,,,IP address of the source. @@ -523,19 +523,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port 1.8.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. 1.8.0-dev,true,source,source.port,long,core,,,Port of the source. -1.8.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +1.8.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." 1.8.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. 1.8.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.8.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,source,source.user.email,keyword,extended,,,User email address. -1.8.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,source,source.user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. @@ -557,17 +557,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. 1.8.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. 1.8.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -1.8.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +1.8.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. 1.8.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. 1.8.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. 1.8.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. 1.8.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -1.8.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +1.8.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. 1.8.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. 1.8.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). 1.8.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. 1.8.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. 1.8.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) 1.8.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. 1.8.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. @@ -582,7 +582,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. 1.8.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. 1.8.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. 1.8.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) 1.8.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. 1.8.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. @@ -597,15 +597,15 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. 1.8.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. 1.8.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -1.8.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +1.8.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. 1.8.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. 1.8.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. 1.8.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -1.8.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +1.8.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. 1.8.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). 1.8.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. 1.8.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. 1.8.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) 1.8.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. 1.8.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. @@ -620,7 +620,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. 1.8.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. 1.8.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. 1.8.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) 1.8.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. 1.8.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. @@ -630,79 +630,79 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.8.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. 1.8.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. 1.8.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -1.8.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. +1.8.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. 1.8.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." 1.8.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -1.8.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.8.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. 1.8.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.8.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.8.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. 1.8.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. 1.8.0-dev,true,url,url.password,keyword,extended,,,Password of the request. -1.8.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""." +1.8.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." 1.8.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." 1.8.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. -1.8.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.8.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." 1.8.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. 1.8.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. 1.8.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.8.0-dev,true,url,url.username,keyword,extended,,,Username of the request. 1.8.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,user,user.changes.email,keyword,extended,,,User email address. -1.8.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address. +1.8.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.changes.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. 1.8.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,user,user.effective.email,keyword,extended,,,User email address. -1.8.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address. +1.8.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.effective.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,user,user.email,keyword,extended,,,User email address. -1.8.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.email,wildcard,extended,,,User email address. +1.8.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,user,user.target.email,keyword,extended,,,User email address. -1.8.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.8.0-dev,true,user,user.target.email,wildcard,extended,,,User email address. +1.8.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.8.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.8.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.8.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. 1.8.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.8.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.target.name,keyword,core,,albert,Short name or login of the user. +1.8.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. 1.8.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.8.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. 1.8.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -1.8.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.8.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. 1.8.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. 1.8.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.8.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.8.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.8.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.8.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.8.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.8.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 1.8.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." 1.8.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 90d2496342..0c6e8374cf 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -18,6 +18,8 @@ short: Date/time when the event originated. type: date agent.build.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -26,12 +28,11 @@ agent.build.original: example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] flat_name: agent.build.original - ignore_above: 1024 level: core name: build.original normalize: [] short: Extended build information for the agent. - type: keyword + type: wildcard agent.ephemeral_id: dashed_name: agent-ephemeral-id description: 'Ephemeral identifier of this agent (if one exists). @@ -129,11 +130,12 @@ client.as.number: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC flat_name: client.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: client.as.organization.name.text @@ -144,7 +146,7 @@ client.as.organization.name: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard client.bytes: dashed_name: client-bytes description: Bytes sent from the client to the server. @@ -157,15 +159,16 @@ client.bytes: short: Bytes sent from the client to the server. type: long client.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Client domain. - type: keyword + type: wildcard client.geo.city_name: dashed_name: client-geo-city-name description: City name. @@ -226,6 +229,8 @@ client.geo.location: short: Longitude and latitude. type: geo_point client.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -236,13 +241,12 @@ client.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: client.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard client.geo.region_iso_code: dashed_name: client-geo-region-iso-code description: Region ISO code. @@ -332,6 +336,8 @@ client.port: short: Port of the client. type: long client.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -342,12 +348,11 @@ client.registered_domain: two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: client.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered client domain, stripped of the subdomain. - type: keyword + type: wildcard client.subdomain: dashed_name: client-subdomain description: 'The subdomain portion of a fully qualified domain name includes all @@ -397,22 +402,24 @@ client.user.domain: short: Name of the directory the user is a member of. type: keyword client.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard client.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: client.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: client.user.full_name.text @@ -423,7 +430,7 @@ client.user.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard client.user.group.domain: dashed_name: client-user-group-domain description: 'Name of the directory the group is a member of. @@ -486,11 +493,12 @@ client.user.id: short: Unique identifier of the user. type: keyword client.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert flat_name: client.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: client.user.name.text @@ -501,7 +509,7 @@ client.user.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard client.user.roles: dashed_name: client-user-roles description: Array of user roles at the time of the event. @@ -725,11 +733,12 @@ destination.as.number: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC flat_name: destination.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: destination.as.organization.name.text @@ -740,7 +749,7 @@ destination.as.organization.name: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard destination.bytes: dashed_name: destination-bytes description: Bytes sent from the destination to the source. @@ -753,15 +762,16 @@ destination.bytes: short: Bytes sent from the destination to the source. type: long destination.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Destination domain. - type: keyword + type: wildcard destination.geo.city_name: dashed_name: destination-geo-city-name description: City name. @@ -822,6 +832,8 @@ destination.geo.location: short: Longitude and latitude. type: geo_point destination.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -832,13 +844,12 @@ destination.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: destination.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. @@ -927,6 +938,8 @@ destination.port: short: Port of the destination. type: long destination.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -937,12 +950,11 @@ destination.registered_domain: two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: destination.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered destination domain, stripped of the subdomain. - type: keyword + type: wildcard destination.subdomain: dashed_name: destination-subdomain description: 'The subdomain portion of a fully qualified domain name includes all @@ -992,22 +1004,24 @@ destination.user.domain: short: Name of the directory the user is a member of. type: keyword destination.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard destination.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: destination.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: destination.user.full_name.text @@ -1018,7 +1032,7 @@ destination.user.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard destination.user.group.domain: dashed_name: destination-user-group-domain description: 'Name of the directory the group is a member of. @@ -1081,11 +1095,12 @@ destination.user.id: short: Unique identifier of the user. type: keyword destination.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert flat_name: destination.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: destination.user.name.text @@ -1096,7 +1111,7 @@ destination.user.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard destination.user.roles: dashed_name: destination-user-roles description: Array of user roles at the time of the event. @@ -1311,17 +1326,18 @@ dll.pe.imphash: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: dll.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -1365,18 +1381,19 @@ dns.answers.class: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.' example: 10.10.10.10 flat_name: dns.answers.data - ignore_above: 1024 level: extended name: answers.data normalize: [] short: The data describing the resource. - type: keyword + type: wildcard dns.answers.name: dashed_name: dns-answers-name description: 'The domain name to which this resource record pertains. @@ -1466,6 +1483,8 @@ dns.question.class: short: The class of records being queried. type: keyword dns.question.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -1475,12 +1494,11 @@ dns.question.name: converted to \t, \r, and \n respectively.' example: www.example.com flat_name: dns.question.name - ignore_above: 1024 level: extended name: question.name normalize: [] short: The name being queried. - type: keyword + type: wildcard dns.question.registered_domain: dashed_name: dns-question-registered-domain description: 'The highest registered domain, stripped of the subdomain. @@ -1633,12 +1651,11 @@ error.message: short: Error message. type: text error.stack_trace: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. - doc_values: false flat_name: error.stack_trace - ignore_above: 1024 - index: false level: extended multi_fields: - flat_name: error.stack_trace.text @@ -1648,18 +1665,19 @@ error.stack_trace: name: stack_trace normalize: [] short: The stack trace of this error in plain text. - type: keyword + type: wildcard error.type: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException flat_name: error.type - ignore_above: 1024 level: extended name: type normalize: [] short: The type of the error, for example the class name of the exception. - type: keyword + type: wildcard event.action: dashed_name: event-action description: 'The action captured by the event. @@ -2073,7 +2091,8 @@ event.original: description: 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and index + this field, consider using the wildcard data type.' doc_values: false example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 @@ -2536,17 +2555,18 @@ file.device: short: Device that is the source of the file. type: keyword file.directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice flat_name: file.directory - ignore_above: 1024 level: extended name: directory normalize: [] short: Directory where the file is located. - type: keyword + type: wildcard file.drive_letter: dashed_name: file-drive-letter description: 'Drive letter where the file is located. This field is only relevant @@ -2708,12 +2728,13 @@ file.owner: short: File owner's username. type: keyword file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png flat_name: file.path - ignore_above: 1024 level: extended multi_fields: - flat_name: file.path.text @@ -2723,7 +2744,7 @@ file.path: name: path normalize: [] short: Full path to the file, including the file name. - type: keyword + type: wildcard file.pe.architecture: dashed_name: file-pe-architecture description: CPU architecture target for the file. @@ -2789,17 +2810,18 @@ file.pe.imphash: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: file.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -2825,10 +2847,11 @@ file.size: short: File size in bytes. type: long file.target_path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path - ignore_above: 1024 level: extended multi_fields: - flat_name: file.target_path.text @@ -2838,7 +2861,7 @@ file.target_path: name: target_path normalize: [] short: Target path for symlinks. - type: keyword + type: wildcard file.type: dashed_name: file-type description: File type (file, dir, or symlink). @@ -2903,18 +2926,19 @@ file.x509.issuer.country: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: file.x509.issuer.distinguished_name - ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: keyword + type: wildcard file.x509.issuer.locality: dashed_name: file-x509-issuer-locality description: List of locality names (L) @@ -3093,17 +3117,18 @@ file.x509.subject.country: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: file.x509.subject.distinguished_name - ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: keyword + type: wildcard file.x509.subject.locality: dashed_name: file-x509-subject-locality description: List of locality names (L) @@ -3284,6 +3309,8 @@ host.geo.location: short: Longitude and latitude. type: geo_point host.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3294,13 +3321,12 @@ host.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: host.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard host.geo.region_iso_code: dashed_name: host-geo-region-iso-code description: Region ISO code. @@ -3326,17 +3352,18 @@ host.geo.region_name: short: Region name. type: keyword host.hostname: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' flat_name: host.hostname - ignore_above: 1024 level: core name: hostname normalize: [] short: Hostname of the host. - type: keyword + type: wildcard host.id: dashed_name: host-id description: 'Unique host id. @@ -3398,11 +3425,12 @@ host.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: host.os.full - ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.full.text @@ -3413,7 +3441,7 @@ host.os.full: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: keyword + type: wildcard host.os.kernel: dashed_name: host-os-kernel description: Operating system kernel version as a raw string. @@ -3427,11 +3455,12 @@ host.os.kernel: short: Operating system kernel version as a raw string. type: keyword host.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X flat_name: host.os.name - ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.name.text @@ -3442,7 +3471,7 @@ host.os.name: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: keyword + type: wildcard host.os.platform: dashed_name: host-os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -3523,22 +3552,24 @@ host.user.domain: short: Name of the directory the user is a member of. type: keyword host.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard host.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: host.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: host.user.full_name.text @@ -3549,7 +3580,7 @@ host.user.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard host.user.group.domain: dashed_name: host-user-group-domain description: 'Name of the directory the group is a member of. @@ -3612,11 +3643,12 @@ host.user.id: short: Unique identifier of the user. type: keyword host.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert flat_name: host.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: host.user.name.text @@ -3627,7 +3659,7 @@ host.user.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard host.user.roles: dashed_name: host-user-roles description: Array of user roles at the time of the event. @@ -3653,11 +3685,12 @@ http.request.body.bytes: short: Size in bytes of the request body. type: long http.request.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world flat_name: http.request.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.request.body.content.text @@ -3667,7 +3700,7 @@ http.request.body.content: name: request.body.content normalize: [] short: The full HTTP request body. - type: keyword + type: wildcard http.request.bytes: dashed_name: http-request-bytes description: Total size in bytes of the request (body and headers). @@ -3713,16 +3746,17 @@ http.request.mime_type: short: Mime type of the body of the request. type: keyword http.request.referrer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ flat_name: http.request.referrer - ignore_above: 1024 level: extended name: request.referrer normalize: [] short: Referrer for this HTTP request. - type: keyword + type: wildcard http.response.body.bytes: dashed_name: http-response-body-bytes description: Size in bytes of the response body. @@ -3735,11 +3769,12 @@ http.response.body.bytes: short: Size in bytes of the response body. type: long http.response.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world flat_name: http.response.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.response.body.content.text @@ -3749,7 +3784,7 @@ http.response.body.content: name: response.body.content normalize: [] short: The full HTTP response body. - type: keyword + type: wildcard http.response.bytes: dashed_name: http-response-bytes description: Total size in bytes of the response (body and headers). @@ -3815,6 +3850,8 @@ labels: short: Custom key/value pairs. type: object log.file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -3822,12 +3859,11 @@ log.file.path: If the event wasn''t read from a log file, do not populate this field.' example: /var/log/fun-times.log flat_name: log.file.path - ignore_above: 1024 level: extended name: file.path normalize: [] short: Full path to the log file this event came from. - type: keyword + type: wildcard log.level: dashed_name: log-level description: 'Original log level of the log event. @@ -3846,17 +3882,18 @@ log.level: short: Log level of the log event. type: keyword log.logger: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. example: org.elasticsearch.bootstrap.Bootstrap flat_name: log.logger - ignore_above: 1024 level: core name: logger normalize: [] short: Name of the logger. - type: keyword + type: wildcard log.origin.file.line: dashed_name: log-origin-file-line description: The line number of the file containing the source code which originated @@ -4377,6 +4414,8 @@ observer.geo.location: short: Longitude and latitude. type: geo_point observer.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -4387,13 +4426,12 @@ observer.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: observer.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard observer.geo.region_iso_code: dashed_name: observer-geo-region-iso-code description: Region ISO code. @@ -4564,11 +4602,12 @@ observer.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: observer.os.full - ignore_above: 1024 level: extended multi_fields: - flat_name: observer.os.full.text @@ -4579,7 +4618,7 @@ observer.os.full: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: keyword + type: wildcard observer.os.kernel: dashed_name: observer-os-kernel description: Operating system kernel version as a raw string. @@ -4593,11 +4632,12 @@ observer.os.kernel: short: Operating system kernel version as a raw string. type: keyword observer.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X flat_name: observer.os.name - ignore_above: 1024 level: extended multi_fields: - flat_name: observer.os.name.text @@ -4608,7 +4648,7 @@ observer.os.name: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: keyword + type: wildcard observer.os.platform: dashed_name: observer-os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -4719,10 +4759,11 @@ organization.id: short: Unique identifier for the organization. type: keyword organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: organization.name.text @@ -4732,7 +4773,7 @@ organization.name: name: name normalize: [] short: Organization name. - type: keyword + type: wildcard package.architecture: dashed_name: package-architecture description: Package architecture. @@ -4980,6 +5021,8 @@ process.code_signature.valid: content. type: boolean process.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -4987,7 +5030,6 @@ process.command_line: Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.command_line - ignore_above: 1024 level: extended multi_fields: - flat_name: process.command_line.text @@ -4997,7 +5039,7 @@ process.command_line: name: command_line normalize: [] short: Full command line that started the process. - type: keyword + type: wildcard process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. @@ -5018,11 +5060,12 @@ process.entity_id: short: Unique identifier for the process. type: keyword process.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.executable - ignore_above: 1024 level: extended multi_fields: - flat_name: process.executable.text @@ -5032,7 +5075,7 @@ process.executable: name: executable normalize: [] short: Absolute path to the process executable. - type: keyword + type: wildcard process.exit_code: dashed_name: process-exit-code description: 'The exit code of the process, if this is a termination event. @@ -5091,13 +5134,14 @@ process.hash.sha512: short: SHA512 hash. type: keyword process.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.name.text @@ -5107,7 +5151,7 @@ process.name: name: name normalize: [] short: Process name. - type: keyword + type: wildcard process.parent.args: dashed_name: process-parent-args description: 'Array of process arguments, starting with the absolute path to the @@ -5208,6 +5252,8 @@ process.parent.code_signature.valid: content. type: boolean process.parent.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -5215,7 +5261,6 @@ process.parent.command_line: Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.parent.command_line - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.command_line.text @@ -5226,7 +5271,7 @@ process.parent.command_line: normalize: [] original_fieldset: process short: Full command line that started the process. - type: keyword + type: wildcard process.parent.entity_id: dashed_name: process-parent-entity-id description: 'Unique identifier for the process. @@ -5248,11 +5293,12 @@ process.parent.entity_id: short: Unique identifier for the process. type: keyword process.parent.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.parent.executable - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.executable.text @@ -5263,7 +5309,7 @@ process.parent.executable: normalize: [] original_fieldset: process short: Absolute path to the process executable. - type: keyword + type: wildcard process.parent.exit_code: dashed_name: process-parent-exit-code description: 'The exit code of the process, if this is a termination event. @@ -5323,13 +5369,14 @@ process.parent.hash.sha512: short: SHA512 hash. type: keyword process.parent.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.parent.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.name.text @@ -5340,7 +5387,7 @@ process.parent.name: normalize: [] original_fieldset: process short: Process name. - type: keyword + type: wildcard process.parent.pe.architecture: dashed_name: process-parent-pe-architecture description: CPU architecture target for the file. @@ -5406,17 +5453,18 @@ process.parent.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.parent.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -5488,25 +5536,27 @@ process.parent.thread.id: short: Thread ID. type: long process.parent.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 flat_name: process.parent.thread.name - ignore_above: 1024 level: extended name: thread.name normalize: [] original_fieldset: process short: Thread name. - type: keyword + type: wildcard process.parent.title: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' flat_name: process.parent.title - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.title.text @@ -5517,7 +5567,7 @@ process.parent.title: normalize: [] original_fieldset: process short: Process title. - type: keyword + type: wildcard process.parent.uptime: dashed_name: process-parent-uptime description: Seconds the process has been up. @@ -5530,11 +5580,12 @@ process.parent.uptime: short: Seconds the process has been up. type: long process.parent.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice flat_name: process.parent.working_directory - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.working_directory.text @@ -5545,7 +5596,7 @@ process.parent.working_directory: normalize: [] original_fieldset: process short: The working directory of the process. - type: keyword + type: wildcard process.pe.architecture: dashed_name: process-pe-architecture description: CPU architecture target for the file. @@ -5611,17 +5662,18 @@ process.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. @@ -5688,24 +5740,26 @@ process.thread.id: short: Thread ID. type: long process.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 flat_name: process.thread.name - ignore_above: 1024 level: extended name: thread.name normalize: [] short: Thread name. - type: keyword + type: wildcard process.title: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' flat_name: process.title - ignore_above: 1024 level: extended multi_fields: - flat_name: process.title.text @@ -5715,7 +5769,7 @@ process.title: name: title normalize: [] short: Process title. - type: keyword + type: wildcard process.uptime: dashed_name: process-uptime description: Seconds the process has been up. @@ -5727,11 +5781,12 @@ process.uptime: short: Seconds the process has been up. type: long process.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice flat_name: process.working_directory - ignore_above: 1024 level: extended multi_fields: - flat_name: process.working_directory.text @@ -5741,7 +5796,7 @@ process.working_directory: name: working_directory normalize: [] short: The working directory of the process. - type: keyword + type: wildcard registry.data.bytes: dashed_name: registry-data-bytes description: 'Original bytes written with base64 encoding. @@ -5758,6 +5813,8 @@ registry.data.bytes: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -5768,13 +5825,12 @@ registry.data.strings: the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' flat_name: registry.data.strings - ignore_above: 1024 level: core name: data.strings normalize: - array short: List of strings representing what was written to the registry. - type: keyword + type: wildcard registry.data.type: dashed_name: registry-data-type description: Standard registry type for encoding contents @@ -5798,28 +5854,30 @@ registry.hive: short: Abbreviated name for the hive. type: keyword registry.key: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe flat_name: registry.key - ignore_above: 1024 level: core name: key normalize: [] short: Hive-relative path of keys. - type: keyword + type: wildcard registry.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger flat_name: registry.path - ignore_above: 1024 level: core name: path normalize: [] short: Full path, including hive, key and value - type: keyword + type: wildcard registry.value: dashed_name: registry-value description: Name of the value written. @@ -6027,11 +6085,12 @@ server.as.number: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC flat_name: server.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: server.as.organization.name.text @@ -6042,7 +6101,7 @@ server.as.organization.name: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard server.bytes: dashed_name: server-bytes description: Bytes sent from the server to the client. @@ -6055,15 +6114,16 @@ server.bytes: short: Bytes sent from the server to the client. type: long server.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Server domain. - type: keyword + type: wildcard server.geo.city_name: dashed_name: server-geo-city-name description: City name. @@ -6124,6 +6184,8 @@ server.geo.location: short: Longitude and latitude. type: geo_point server.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -6134,13 +6196,12 @@ server.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: server.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard server.geo.region_iso_code: dashed_name: server-geo-region-iso-code description: Region ISO code. @@ -6230,6 +6291,8 @@ server.port: short: Port of the server. type: long server.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -6240,12 +6303,11 @@ server.registered_domain: two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: server.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered server domain, stripped of the subdomain. - type: keyword + type: wildcard server.subdomain: dashed_name: server-subdomain description: 'The subdomain portion of a fully qualified domain name includes all @@ -6295,22 +6357,24 @@ server.user.domain: short: Name of the directory the user is a member of. type: keyword server.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard server.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: server.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: server.user.full_name.text @@ -6321,7 +6385,7 @@ server.user.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard server.user.group.domain: dashed_name: server-user-group-domain description: 'Name of the directory the group is a member of. @@ -6384,11 +6448,12 @@ server.user.id: short: Unique identifier of the user. type: keyword server.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert flat_name: server.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: server.user.name.text @@ -6399,7 +6464,7 @@ server.user.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard server.user.roles: dashed_name: server-user-roles description: Array of user roles at the time of the event. @@ -6553,11 +6618,12 @@ source.as.number: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC flat_name: source.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: source.as.organization.name.text @@ -6568,7 +6634,7 @@ source.as.organization.name: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard source.bytes: dashed_name: source-bytes description: Bytes sent from the source to the destination. @@ -6581,15 +6647,16 @@ source.bytes: short: Bytes sent from the source to the destination. type: long source.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Source domain. - type: keyword + type: wildcard source.geo.city_name: dashed_name: source-geo-city-name description: City name. @@ -6650,6 +6717,8 @@ source.geo.location: short: Longitude and latitude. type: geo_point source.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -6660,13 +6729,12 @@ source.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: source.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. @@ -6756,6 +6824,8 @@ source.port: short: Port of the source. type: long source.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -6766,12 +6836,11 @@ source.registered_domain: two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: source.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered source domain, stripped of the subdomain. - type: keyword + type: wildcard source.subdomain: dashed_name: source-subdomain description: 'The subdomain portion of a fully qualified domain name includes all @@ -6821,22 +6890,24 @@ source.user.domain: short: Name of the directory the user is a member of. type: keyword source.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard source.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: source.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: source.user.full_name.text @@ -6847,7 +6918,7 @@ source.user.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard source.user.group.domain: dashed_name: source-user-group-domain description: 'Name of the directory the group is a member of. @@ -6910,11 +6981,12 @@ source.user.id: short: Unique identifier of the user. type: keyword source.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert flat_name: source.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: source.user.name.text @@ -6925,7 +6997,7 @@ source.user.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard source.user.roles: dashed_name: source-user-roles description: Array of user roles at the time of the event. @@ -7189,18 +7261,19 @@ tls.client.hash.sha256: certificate offered by the client. type: keyword tls.client.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.client.issuer - ignore_above: 1024 level: extended name: client.issuer normalize: [] short: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - type: keyword + type: wildcard tls.client.ja3: dashed_name: tls-client-ja3 description: A hash that identifies clients based on how they perform an SSL/TLS @@ -7248,17 +7321,18 @@ tls.client.server_name: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com flat_name: tls.client.subject - ignore_above: 1024 level: extended name: client.subject normalize: [] short: Distinguished name of subject of the x.509 certificate presented by the client. - type: keyword + type: wildcard tls.client.supported_ciphers: dashed_name: tls-client-supported-ciphers description: Array of ciphers offered by the client during the client hello. @@ -7314,18 +7388,19 @@ tls.client.x509.issuer.country: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: tls.client.x509.issuer.distinguished_name - ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: keyword + type: wildcard tls.client.x509.issuer.locality: dashed_name: tls-client-x509-issuer-locality description: List of locality names (L) @@ -7504,17 +7579,18 @@ tls.client.x509.subject.country: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: tls.client.x509.subject.distinguished_name - ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: keyword + type: wildcard tls.client.x509.subject.locality: dashed_name: tls-client-x509-subject-locality description: List of locality names (L) @@ -7695,16 +7771,17 @@ tls.server.hash.sha256: certificate offered by the server. type: keyword tls.server.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.server.issuer - ignore_above: 1024 level: extended name: server.issuer normalize: [] short: Subject of the issuer of the x.509 certificate presented by the server. - type: keyword + type: wildcard tls.server.ja3s: dashed_name: tls-server-ja3s description: A hash that identifies servers based on how they perform an SSL/TLS @@ -7739,16 +7816,17 @@ tls.server.not_before: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.server.subject - ignore_above: 1024 level: extended name: server.subject normalize: [] short: Subject of the x.509 certificate presented by the server. - type: keyword + type: wildcard tls.server.x509.alternative_names: dashed_name: tls-server-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate @@ -7791,18 +7869,19 @@ tls.server.x509.issuer.country: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: tls.server.x509.issuer.distinguished_name - ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: keyword + type: wildcard tls.server.x509.issuer.locality: dashed_name: tls-server-x509-issuer-locality description: List of locality names (L) @@ -7981,17 +8060,18 @@ tls.server.x509.subject.country: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: tls.server.x509.subject.distinguished_name - ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: keyword + type: wildcard tls.server.x509.subject.locality: dashed_name: tls-server-x509-subject-locality description: List of locality names (L) @@ -8106,6 +8186,8 @@ transaction.id: short: Unique identifier of the transaction within the scope of its trace. type: keyword url.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -8116,12 +8198,11 @@ url.domain: the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co flat_name: url.domain - ignore_above: 1024 level: extended name: domain normalize: [] short: Domain of the url. - type: keyword + type: wildcard url.extension: dashed_name: url-extension description: 'The field contains the file extension from the original request url, @@ -8155,12 +8236,13 @@ url.fragment: short: Portion of the url after the `#`. type: keyword url.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top flat_name: url.full - ignore_above: 1024 level: extended multi_fields: - flat_name: url.full.text @@ -8170,8 +8252,10 @@ url.full: name: full normalize: [] short: Full unparsed URL. - type: keyword + type: wildcard url.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -8181,7 +8265,6 @@ url.original: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch flat_name: url.original - ignore_above: 1024 level: extended multi_fields: - flat_name: url.original.text @@ -8191,7 +8274,7 @@ url.original: name: original normalize: [] short: Unmodified original url as seen in the event source. - type: keyword + type: wildcard url.password: dashed_name: url-password description: Password of the request. @@ -8203,15 +8286,16 @@ url.password: short: Password of the request. type: keyword url.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path - ignore_above: 1024 level: extended name: path normalize: [] short: Path of the request, such as "/search". - type: keyword + type: wildcard url.port: dashed_name: url-port description: Port of the request, such as 443. @@ -8240,6 +8324,8 @@ url.query: short: Query string of the request. type: keyword url.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -8250,12 +8336,11 @@ url.registered_domain: two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: url.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered url domain, stripped of the subdomain. - type: keyword + type: wildcard url.scheme: dashed_name: url-scheme description: 'Scheme of the request, such as "https". @@ -8328,22 +8413,24 @@ user.changes.domain: short: Name of the directory the user is a member of. type: keyword user.changes.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-changes-email description: User email address. flat_name: user.changes.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard user.changes.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-changes-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.changes.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.changes.full_name.text @@ -8354,7 +8441,7 @@ user.changes.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard user.changes.group.domain: dashed_name: user-changes-group-domain description: 'Name of the directory the group is a member of. @@ -8417,11 +8504,12 @@ user.changes.id: short: Unique identifier of the user. type: keyword user.changes.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-changes-name description: Short name or login of the user. example: albert flat_name: user.changes.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.changes.name.text @@ -8432,7 +8520,7 @@ user.changes.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard user.changes.roles: dashed_name: user-changes-roles description: Array of user roles at the time of the event. @@ -8472,22 +8560,24 @@ user.effective.domain: short: Name of the directory the user is a member of. type: keyword user.effective.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-effective-email description: User email address. flat_name: user.effective.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard user.effective.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-effective-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.effective.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.effective.full_name.text @@ -8498,7 +8588,7 @@ user.effective.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard user.effective.group.domain: dashed_name: user-effective-group-domain description: 'Name of the directory the group is a member of. @@ -8561,11 +8651,12 @@ user.effective.id: short: Unique identifier of the user. type: keyword user.effective.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-effective-name description: Short name or login of the user. example: albert flat_name: user.effective.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.effective.name.text @@ -8576,7 +8667,7 @@ user.effective.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard user.effective.roles: dashed_name: user-effective-roles description: Array of user roles at the time of the event. @@ -8591,21 +8682,23 @@ user.effective.roles: short: Array of user roles at the time of the event. type: keyword user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email - ignore_above: 1024 level: extended name: email normalize: [] short: User email address. - type: keyword + type: wildcard user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.full_name.text @@ -8615,7 +8708,7 @@ user.full_name: name: full_name normalize: [] short: User's full name, if available. - type: keyword + type: wildcard user.group.domain: dashed_name: user-group-domain description: 'Name of the directory the group is a member of. @@ -8676,11 +8769,12 @@ user.id: short: Unique identifier of the user. type: keyword user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert flat_name: user.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.name.text @@ -8690,7 +8784,7 @@ user.name: name: name normalize: [] short: Short name or login of the user. - type: keyword + type: wildcard user.roles: dashed_name: user-roles description: Array of user roles at the time of the event. @@ -8717,22 +8811,24 @@ user.target.domain: short: Name of the directory the user is a member of. type: keyword user.target.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-target-email description: User email address. flat_name: user.target.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard user.target.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-target-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.target.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.target.full_name.text @@ -8743,7 +8839,7 @@ user.target.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard user.target.group.domain: dashed_name: user-target-group-domain description: 'Name of the directory the group is a member of. @@ -8806,11 +8902,12 @@ user.target.id: short: Unique identifier of the user. type: keyword user.target.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-target-name description: Short name or login of the user. example: albert flat_name: user.target.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.target.name.text @@ -8821,7 +8918,7 @@ user.target.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard user.target.roles: dashed_name: user-target-roles description: Array of user roles at the time of the event. @@ -8858,12 +8955,13 @@ user_agent.name: short: Name of the user agent. type: keyword user_agent.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 flat_name: user_agent.original - ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.original.text @@ -8873,7 +8971,7 @@ user_agent.original: name: original normalize: [] short: Unparsed user_agent string. - type: keyword + type: wildcard user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -8887,11 +8985,12 @@ user_agent.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: user_agent.os.full - ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.os.full.text @@ -8902,7 +9001,7 @@ user_agent.os.full: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: keyword + type: wildcard user_agent.os.kernel: dashed_name: user-agent-os-kernel description: Operating system kernel version as a raw string. @@ -8916,11 +9015,12 @@ user_agent.os.kernel: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X flat_name: user_agent.os.name - ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.os.name.text @@ -8931,7 +9031,7 @@ user_agent.os.name: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: keyword + type: wildcard user_agent.os.platform: dashed_name: user-agent-os-platform description: Operating system platform (such centos, ubuntu, windows). diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index eaa283a9a0..50c4915485 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -8,6 +8,8 @@ agent: event happened or the measurement was taken.' fields: agent.build.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -16,12 +18,11 @@ agent: example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] flat_name: agent.build.original - ignore_above: 1024 level: core name: build.original normalize: [] short: Extended build information for the agent. - type: keyword + type: wildcard agent.ephemeral_id: dashed_name: agent-ephemeral-id description: 'Ephemeral identifier of this agent (if one exists). @@ -119,11 +120,12 @@ as: short: Unique number allocated to the autonomous system. type: long as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: as-organization-name description: Organization name. example: Google LLC flat_name: as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: as.organization.name.text @@ -133,7 +135,7 @@ as: name: organization.name normalize: [] short: Organization name. - type: keyword + type: wildcard group: 2 name: as prefix: as. @@ -275,11 +277,12 @@ client: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC flat_name: client.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: client.as.organization.name.text @@ -290,7 +293,7 @@ client: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard client.bytes: dashed_name: client-bytes description: Bytes sent from the client to the server. @@ -303,15 +306,16 @@ client: short: Bytes sent from the client to the server. type: long client.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Client domain. - type: keyword + type: wildcard client.geo.city_name: dashed_name: client-geo-city-name description: City name. @@ -372,6 +376,8 @@ client: short: Longitude and latitude. type: geo_point client.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -382,13 +388,12 @@ client: Not typically used in automated geolocation.' example: boston-dc flat_name: client.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard client.geo.region_iso_code: dashed_name: client-geo-region-iso-code description: Region ISO code. @@ -478,6 +483,8 @@ client: short: Port of the client. type: long client.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -488,12 +495,11 @@ client: the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: client.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered client domain, stripped of the subdomain. - type: keyword + type: wildcard client.subdomain: dashed_name: client-subdomain description: 'The subdomain portion of a fully qualified domain name includes @@ -543,22 +549,24 @@ client: short: Name of the directory the user is a member of. type: keyword client.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard client.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: client.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: client.user.full_name.text @@ -569,7 +577,7 @@ client: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard client.user.group.domain: dashed_name: client-user-group-domain description: 'Name of the directory the group is a member of. @@ -632,11 +640,12 @@ client: short: Unique identifier of the user. type: keyword client.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert flat_name: client.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: client.user.name.text @@ -647,7 +656,7 @@ client: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard client.user.roles: dashed_name: client-user-roles description: Array of user roles at the time of the event. @@ -1013,11 +1022,12 @@ destination: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC flat_name: destination.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: destination.as.organization.name.text @@ -1028,7 +1038,7 @@ destination: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard destination.bytes: dashed_name: destination-bytes description: Bytes sent from the destination to the source. @@ -1041,15 +1051,16 @@ destination: short: Bytes sent from the destination to the source. type: long destination.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Destination domain. - type: keyword + type: wildcard destination.geo.city_name: dashed_name: destination-geo-city-name description: City name. @@ -1110,6 +1121,8 @@ destination: short: Longitude and latitude. type: geo_point destination.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -1120,13 +1133,12 @@ destination: Not typically used in automated geolocation.' example: boston-dc flat_name: destination.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. @@ -1215,6 +1227,8 @@ destination: short: Port of the destination. type: long destination.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -1225,12 +1239,11 @@ destination: the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: destination.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered destination domain, stripped of the subdomain. - type: keyword + type: wildcard destination.subdomain: dashed_name: destination-subdomain description: 'The subdomain portion of a fully qualified domain name includes @@ -1280,22 +1293,24 @@ destination: short: Name of the directory the user is a member of. type: keyword destination.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard destination.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: destination.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: destination.user.full_name.text @@ -1306,7 +1321,7 @@ destination: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard destination.user.group.domain: dashed_name: destination-user-group-domain description: 'Name of the directory the group is a member of. @@ -1369,11 +1384,12 @@ destination: short: Unique identifier of the user. type: keyword destination.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert flat_name: destination.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: destination.user.name.text @@ -1384,7 +1400,7 @@ destination: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard destination.user.roles: dashed_name: destination-user-roles description: Array of user roles at the time of the event. @@ -1633,17 +1649,18 @@ dll: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: dll.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -1715,18 +1732,19 @@ dns: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.' example: 10.10.10.10 flat_name: dns.answers.data - ignore_above: 1024 level: extended name: answers.data normalize: [] short: The data describing the resource. - type: keyword + type: wildcard dns.answers.name: dashed_name: dns-answers-name description: 'The domain name to which this resource record pertains. @@ -1818,6 +1836,8 @@ dns: short: The class of records being queried. type: keyword dns.question.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -1827,12 +1847,11 @@ dns: feeds should be converted to \t, \r, and \n respectively.' example: www.example.com flat_name: dns.question.name - ignore_above: 1024 level: extended name: question.name normalize: [] short: The name being queried. - type: keyword + type: wildcard dns.question.registered_domain: dashed_name: dns-question-registered-domain description: 'The highest registered domain, stripped of the subdomain. @@ -2006,12 +2025,11 @@ error: short: Error message. type: text error.stack_trace: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. - doc_values: false flat_name: error.stack_trace - ignore_above: 1024 - index: false level: extended multi_fields: - flat_name: error.stack_trace.text @@ -2021,18 +2039,19 @@ error: name: stack_trace normalize: [] short: The stack trace of this error in plain text. - type: keyword + type: wildcard error.type: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException flat_name: error.type - ignore_above: 1024 level: extended name: type normalize: [] short: The type of the error, for example the class name of the exception. - type: keyword + type: wildcard group: 2 name: error prefix: error. @@ -2472,7 +2491,8 @@ event: description: 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`.' + but it can be retrieved from `_source`. If users wish to override this and + index this field, consider using the wildcard data type.' doc_values: false example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 @@ -2960,17 +2980,18 @@ file: short: Device that is the source of the file. type: keyword file.directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice flat_name: file.directory - ignore_above: 1024 level: extended name: directory normalize: [] short: Directory where the file is located. - type: keyword + type: wildcard file.drive_letter: dashed_name: file-drive-letter description: 'Drive letter where the file is located. This field is only relevant @@ -3132,12 +3153,13 @@ file: short: File owner's username. type: keyword file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png flat_name: file.path - ignore_above: 1024 level: extended multi_fields: - flat_name: file.path.text @@ -3147,7 +3169,7 @@ file: name: path normalize: [] short: Full path to the file, including the file name. - type: keyword + type: wildcard file.pe.architecture: dashed_name: file-pe-architecture description: CPU architecture target for the file. @@ -3213,17 +3235,18 @@ file: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: file.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -3249,10 +3272,11 @@ file: short: File size in bytes. type: long file.target_path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path - ignore_above: 1024 level: extended multi_fields: - flat_name: file.target_path.text @@ -3262,7 +3286,7 @@ file: name: target_path normalize: [] short: Target path for symlinks. - type: keyword + type: wildcard file.type: dashed_name: file-type description: File type (file, dir, or symlink). @@ -3327,18 +3351,19 @@ file: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: file.x509.issuer.distinguished_name - ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: keyword + type: wildcard file.x509.issuer.locality: dashed_name: file-x509-issuer-locality description: List of locality names (L) @@ -3517,17 +3542,18 @@ file: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: file.x509.subject.distinguished_name - ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: keyword + type: wildcard file.x509.subject.locality: dashed_name: file-x509-subject-locality description: List of locality names (L) @@ -3677,6 +3703,8 @@ geo: short: Longitude and latitude. type: geo_point geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3687,12 +3715,11 @@ geo: Not typically used in automated geolocation.' example: boston-dc flat_name: geo.name - ignore_above: 1024 level: extended name: name normalize: [] short: User-defined description of a location. - type: keyword + type: wildcard geo.region_iso_code: dashed_name: geo-region-iso-code description: Region ISO code. @@ -3948,6 +3975,8 @@ host: short: Longitude and latitude. type: geo_point host.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3958,13 +3987,12 @@ host: Not typically used in automated geolocation.' example: boston-dc flat_name: host.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard host.geo.region_iso_code: dashed_name: host-geo-region-iso-code description: Region ISO code. @@ -3990,17 +4018,18 @@ host: short: Region name. type: keyword host.hostname: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' flat_name: host.hostname - ignore_above: 1024 level: core name: hostname normalize: [] short: Hostname of the host. - type: keyword + type: wildcard host.id: dashed_name: host-id description: 'Unique host id. @@ -4063,11 +4092,12 @@ host: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: host.os.full - ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.full.text @@ -4078,7 +4108,7 @@ host: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: keyword + type: wildcard host.os.kernel: dashed_name: host-os-kernel description: Operating system kernel version as a raw string. @@ -4092,11 +4122,12 @@ host: short: Operating system kernel version as a raw string. type: keyword host.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X flat_name: host.os.name - ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.name.text @@ -4107,7 +4138,7 @@ host: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: keyword + type: wildcard host.os.platform: dashed_name: host-os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -4190,22 +4221,24 @@ host: short: Name of the directory the user is a member of. type: keyword host.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard host.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: host.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: host.user.full_name.text @@ -4216,7 +4249,7 @@ host: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard host.user.group.domain: dashed_name: host-user-group-domain description: 'Name of the directory the group is a member of. @@ -4279,11 +4312,12 @@ host: short: Unique identifier of the user. type: keyword host.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert flat_name: host.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: host.user.name.text @@ -4294,7 +4328,7 @@ host: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard host.user.roles: dashed_name: host-user-roles description: Array of user roles at the time of the event. @@ -4344,11 +4378,12 @@ http: short: Size in bytes of the request body. type: long http.request.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world flat_name: http.request.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.request.body.content.text @@ -4358,7 +4393,7 @@ http: name: request.body.content normalize: [] short: The full HTTP request body. - type: keyword + type: wildcard http.request.bytes: dashed_name: http-request-bytes description: Total size in bytes of the request (body and headers). @@ -4406,16 +4441,17 @@ http: short: Mime type of the body of the request. type: keyword http.request.referrer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ flat_name: http.request.referrer - ignore_above: 1024 level: extended name: request.referrer normalize: [] short: Referrer for this HTTP request. - type: keyword + type: wildcard http.response.body.bytes: dashed_name: http-response-body-bytes description: Size in bytes of the response body. @@ -4428,11 +4464,12 @@ http: short: Size in bytes of the response body. type: long http.response.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world flat_name: http.response.body.content - ignore_above: 1024 level: extended multi_fields: - flat_name: http.response.body.content.text @@ -4442,7 +4479,7 @@ http: name: response.body.content normalize: [] short: The full HTTP response body. - type: keyword + type: wildcard http.response.bytes: dashed_name: http-response-bytes description: Total size in bytes of the response (body and headers). @@ -4566,6 +4603,8 @@ log: but rather in `event.*` or in other ECS fields.' fields: log.file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -4573,12 +4612,11 @@ log: If the event wasn''t read from a log file, do not populate this field.' example: /var/log/fun-times.log flat_name: log.file.path - ignore_above: 1024 level: extended name: file.path normalize: [] short: Full path to the log file this event came from. - type: keyword + type: wildcard log.level: dashed_name: log-level description: 'Original log level of the log event. @@ -4597,17 +4635,18 @@ log: short: Log level of the log event. type: keyword log.logger: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. example: org.elasticsearch.bootstrap.Bootstrap flat_name: log.logger - ignore_above: 1024 level: core name: logger normalize: [] short: Name of the logger. - type: keyword + type: wildcard log.origin.file.line: dashed_name: log-origin-file-line description: The line number of the file containing the source code which originated @@ -5159,6 +5198,8 @@ observer: short: Longitude and latitude. type: geo_point observer.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -5169,13 +5210,12 @@ observer: Not typically used in automated geolocation.' example: boston-dc flat_name: observer.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard observer.geo.region_iso_code: dashed_name: observer-geo-region-iso-code description: Region ISO code. @@ -5347,11 +5387,12 @@ observer: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: observer.os.full - ignore_above: 1024 level: extended multi_fields: - flat_name: observer.os.full.text @@ -5362,7 +5403,7 @@ observer: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: keyword + type: wildcard observer.os.kernel: dashed_name: observer-os-kernel description: Operating system kernel version as a raw string. @@ -5376,11 +5417,12 @@ observer: short: Operating system kernel version as a raw string. type: keyword observer.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X flat_name: observer.os.name - ignore_above: 1024 level: extended multi_fields: - flat_name: observer.os.name.text @@ -5391,7 +5433,7 @@ observer: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: keyword + type: wildcard observer.os.platform: dashed_name: observer-os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -5542,10 +5584,11 @@ organization: short: Unique identifier for the organization. type: keyword organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: organization.name.text @@ -5555,7 +5598,7 @@ organization: name: name normalize: [] short: Organization name. - type: keyword + type: wildcard group: 2 name: organization prefix: organization. @@ -5577,11 +5620,12 @@ os: short: OS family (such as redhat, debian, freebsd, windows). type: keyword os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: os.full - ignore_above: 1024 level: extended multi_fields: - flat_name: os.full.text @@ -5591,7 +5635,7 @@ os: name: full normalize: [] short: Operating system name, including the version or code name. - type: keyword + type: wildcard os.kernel: dashed_name: os-kernel description: Operating system kernel version as a raw string. @@ -5604,11 +5648,12 @@ os: short: Operating system kernel version as a raw string. type: keyword os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: os-name description: Operating system name, without the version. example: Mac OS X flat_name: os.name - ignore_above: 1024 level: extended multi_fields: - flat_name: os.name.text @@ -5618,7 +5663,7 @@ os: name: name normalize: [] short: Operating system name, without the version. - type: keyword + type: wildcard os.platform: dashed_name: os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -5904,16 +5949,17 @@ pe: short: A hash of the imports in a PE file. type: keyword pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard pe.product: dashed_name: pe-product description: Internal product name of the file, provided at compile-time. @@ -6048,6 +6094,8 @@ process: content. type: boolean process.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6055,7 +6103,6 @@ process: Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.command_line - ignore_above: 1024 level: extended multi_fields: - flat_name: process.command_line.text @@ -6065,7 +6112,7 @@ process: name: command_line normalize: [] short: Full command line that started the process. - type: keyword + type: wildcard process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. @@ -6086,11 +6133,12 @@ process: short: Unique identifier for the process. type: keyword process.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.executable - ignore_above: 1024 level: extended multi_fields: - flat_name: process.executable.text @@ -6100,7 +6148,7 @@ process: name: executable normalize: [] short: Absolute path to the process executable. - type: keyword + type: wildcard process.exit_code: dashed_name: process-exit-code description: 'The exit code of the process, if this is a termination event. @@ -6159,13 +6207,14 @@ process: short: SHA512 hash. type: keyword process.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.name.text @@ -6175,7 +6224,7 @@ process: name: name normalize: [] short: Process name. - type: keyword + type: wildcard process.parent.args: dashed_name: process-parent-args description: 'Array of process arguments, starting with the absolute path to @@ -6276,6 +6325,8 @@ process: content. type: boolean process.parent.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6283,7 +6334,6 @@ process: Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.parent.command_line - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.command_line.text @@ -6294,7 +6344,7 @@ process: normalize: [] original_fieldset: process short: Full command line that started the process. - type: keyword + type: wildcard process.parent.entity_id: dashed_name: process-parent-entity-id description: 'Unique identifier for the process. @@ -6316,11 +6366,12 @@ process: short: Unique identifier for the process. type: keyword process.parent.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.parent.executable - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.executable.text @@ -6331,7 +6382,7 @@ process: normalize: [] original_fieldset: process short: Absolute path to the process executable. - type: keyword + type: wildcard process.parent.exit_code: dashed_name: process-parent-exit-code description: 'The exit code of the process, if this is a termination event. @@ -6391,13 +6442,14 @@ process: short: SHA512 hash. type: keyword process.parent.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.parent.name - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.name.text @@ -6408,7 +6460,7 @@ process: normalize: [] original_fieldset: process short: Process name. - type: keyword + type: wildcard process.parent.pe.architecture: dashed_name: process-parent-pe-architecture description: CPU architecture target for the file. @@ -6474,17 +6526,18 @@ process: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.parent.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -6556,25 +6609,27 @@ process: short: Thread ID. type: long process.parent.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 flat_name: process.parent.thread.name - ignore_above: 1024 level: extended name: thread.name normalize: [] original_fieldset: process short: Thread name. - type: keyword + type: wildcard process.parent.title: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' flat_name: process.parent.title - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.title.text @@ -6585,7 +6640,7 @@ process: normalize: [] original_fieldset: process short: Process title. - type: keyword + type: wildcard process.parent.uptime: dashed_name: process-parent-uptime description: Seconds the process has been up. @@ -6598,11 +6653,12 @@ process: short: Seconds the process has been up. type: long process.parent.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice flat_name: process.parent.working_directory - ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.working_directory.text @@ -6613,7 +6669,7 @@ process: normalize: [] original_fieldset: process short: The working directory of the process. - type: keyword + type: wildcard process.pe.architecture: dashed_name: process-pe-architecture description: CPU architecture target for the file. @@ -6679,17 +6735,18 @@ process: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.pe.original_file_name - ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: keyword + type: wildcard process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. @@ -6756,24 +6813,26 @@ process: short: Thread ID. type: long process.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 flat_name: process.thread.name - ignore_above: 1024 level: extended name: thread.name normalize: [] short: Thread name. - type: keyword + type: wildcard process.title: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' flat_name: process.title - ignore_above: 1024 level: extended multi_fields: - flat_name: process.title.text @@ -6783,7 +6842,7 @@ process: name: title normalize: [] short: Process title. - type: keyword + type: wildcard process.uptime: dashed_name: process-uptime description: Seconds the process has been up. @@ -6795,11 +6854,12 @@ process: short: Seconds the process has been up. type: long process.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice flat_name: process.working_directory - ignore_above: 1024 level: extended multi_fields: - flat_name: process.working_directory.text @@ -6809,7 +6869,7 @@ process: name: working_directory normalize: [] short: The working directory of the process. - type: keyword + type: wildcard group: 2 name: process nestings: @@ -6859,6 +6919,8 @@ registry: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -6869,13 +6931,12 @@ registry: be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' flat_name: registry.data.strings - ignore_above: 1024 level: core name: data.strings normalize: - array short: List of strings representing what was written to the registry. - type: keyword + type: wildcard registry.data.type: dashed_name: registry-data-type description: Standard registry type for encoding contents @@ -6899,28 +6960,30 @@ registry: short: Abbreviated name for the hive. type: keyword registry.key: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe flat_name: registry.key - ignore_above: 1024 level: core name: key normalize: [] short: Hive-relative path of keys. - type: keyword + type: wildcard registry.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger flat_name: registry.path - ignore_above: 1024 level: core name: path normalize: [] short: Full path, including hive, key and value - type: keyword + type: wildcard registry.value: dashed_name: registry-value description: Name of the value written. @@ -7185,11 +7248,12 @@ server: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC flat_name: server.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: server.as.organization.name.text @@ -7200,7 +7264,7 @@ server: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard server.bytes: dashed_name: server-bytes description: Bytes sent from the server to the client. @@ -7213,15 +7277,16 @@ server: short: Bytes sent from the server to the client. type: long server.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Server domain. - type: keyword + type: wildcard server.geo.city_name: dashed_name: server-geo-city-name description: City name. @@ -7282,6 +7347,8 @@ server: short: Longitude and latitude. type: geo_point server.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -7292,13 +7359,12 @@ server: Not typically used in automated geolocation.' example: boston-dc flat_name: server.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard server.geo.region_iso_code: dashed_name: server-geo-region-iso-code description: Region ISO code. @@ -7388,6 +7454,8 @@ server: short: Port of the server. type: long server.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -7398,12 +7466,11 @@ server: the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: server.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered server domain, stripped of the subdomain. - type: keyword + type: wildcard server.subdomain: dashed_name: server-subdomain description: 'The subdomain portion of a fully qualified domain name includes @@ -7453,22 +7520,24 @@ server: short: Name of the directory the user is a member of. type: keyword server.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard server.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: server.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: server.user.full_name.text @@ -7479,7 +7548,7 @@ server: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard server.user.group.domain: dashed_name: server-user-group-domain description: 'Name of the directory the group is a member of. @@ -7542,11 +7611,12 @@ server: short: Unique identifier of the user. type: keyword server.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert flat_name: server.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: server.user.name.text @@ -7557,7 +7627,7 @@ server: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard server.user.roles: dashed_name: server-user-roles description: Array of user roles at the time of the event. @@ -7755,11 +7825,12 @@ source: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC flat_name: source.as.organization.name - ignore_above: 1024 level: extended multi_fields: - flat_name: source.as.organization.name.text @@ -7770,7 +7841,7 @@ source: normalize: [] original_fieldset: as short: Organization name. - type: keyword + type: wildcard source.bytes: dashed_name: source-bytes description: Bytes sent from the source to the destination. @@ -7783,15 +7854,16 @@ source: short: Bytes sent from the source to the destination. type: long source.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain - ignore_above: 1024 level: core name: domain normalize: [] short: Source domain. - type: keyword + type: wildcard source.geo.city_name: dashed_name: source-geo-city-name description: City name. @@ -7852,6 +7924,8 @@ source: short: Longitude and latitude. type: geo_point source.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -7862,13 +7936,12 @@ source: Not typically used in automated geolocation.' example: boston-dc flat_name: source.geo.name - ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: keyword + type: wildcard source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. @@ -7958,6 +8031,8 @@ source: short: Port of the source. type: long source.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -7968,12 +8043,11 @@ source: the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: source.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered source domain, stripped of the subdomain. - type: keyword + type: wildcard source.subdomain: dashed_name: source-subdomain description: 'The subdomain portion of a fully qualified domain name includes @@ -8023,22 +8097,24 @@ source: short: Name of the directory the user is a member of. type: keyword source.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard source.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: source.user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: source.user.full_name.text @@ -8049,7 +8125,7 @@ source: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard source.user.group.domain: dashed_name: source-user-group-domain description: 'Name of the directory the group is a member of. @@ -8112,11 +8188,12 @@ source: short: Unique identifier of the user. type: keyword source.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert flat_name: source.user.name - ignore_above: 1024 level: core multi_fields: - flat_name: source.user.name.text @@ -8127,7 +8204,7 @@ source: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard source.user.roles: dashed_name: source-user-roles description: Array of user roles at the time of the event. @@ -8405,18 +8482,19 @@ tls: of certificate offered by the client. type: keyword tls.client.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.client.issuer - ignore_above: 1024 level: extended name: client.issuer normalize: [] short: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - type: keyword + type: wildcard tls.client.ja3: dashed_name: tls-client-ja3 description: A hash that identifies clients based on how they perform an SSL/TLS @@ -8466,18 +8544,19 @@ tls: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com flat_name: tls.client.subject - ignore_above: 1024 level: extended name: client.subject normalize: [] short: Distinguished name of subject of the x.509 certificate presented by the client. - type: keyword + type: wildcard tls.client.supported_ciphers: dashed_name: tls-client-supported-ciphers description: Array of ciphers offered by the client during the client hello. @@ -8533,18 +8612,19 @@ tls: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: tls.client.x509.issuer.distinguished_name - ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: keyword + type: wildcard tls.client.x509.issuer.locality: dashed_name: tls-client-x509-issuer-locality description: List of locality names (L) @@ -8723,17 +8803,18 @@ tls: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: tls.client.x509.subject.distinguished_name - ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: keyword + type: wildcard tls.client.x509.subject.locality: dashed_name: tls-client-x509-subject-locality description: List of locality names (L) @@ -8914,17 +8995,18 @@ tls: of certificate offered by the server. type: keyword tls.server.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.server.issuer - ignore_above: 1024 level: extended name: server.issuer normalize: [] short: Subject of the issuer of the x.509 certificate presented by the server. - type: keyword + type: wildcard tls.server.ja3s: dashed_name: tls-server-ja3s description: A hash that identifies servers based on how they perform an SSL/TLS @@ -8961,16 +9043,17 @@ tls: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.server.subject - ignore_above: 1024 level: extended name: server.subject normalize: [] short: Subject of the x.509 certificate presented by the server. - type: keyword + type: wildcard tls.server.x509.alternative_names: dashed_name: tls-server-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate @@ -9013,18 +9096,19 @@ tls: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: tls.server.x509.issuer.distinguished_name - ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: keyword + type: wildcard tls.server.x509.issuer.locality: dashed_name: tls-server-x509-issuer-locality description: List of locality names (L) @@ -9203,17 +9287,18 @@ tls: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: tls.server.x509.subject.distinguished_name - ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: keyword + type: wildcard tls.server.x509.subject.locality: dashed_name: tls-server-x509-subject-locality description: List of locality names (L) @@ -9379,6 +9464,8 @@ url: the breaking down into scheme, domain, path, and so on. fields: url.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -9390,12 +9477,11 @@ url: field.' example: www.elastic.co flat_name: url.domain - ignore_above: 1024 level: extended name: domain normalize: [] short: Domain of the url. - type: keyword + type: wildcard url.extension: dashed_name: url-extension description: 'The field contains the file extension from the original request @@ -9429,13 +9515,14 @@ url: short: Portion of the url after the `#`. type: keyword url.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top flat_name: url.full - ignore_above: 1024 level: extended multi_fields: - flat_name: url.full.text @@ -9445,8 +9532,10 @@ url: name: full normalize: [] short: Full unparsed URL. - type: keyword + type: wildcard url.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -9456,7 +9545,6 @@ url: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch flat_name: url.original - ignore_above: 1024 level: extended multi_fields: - flat_name: url.original.text @@ -9466,7 +9554,7 @@ url: name: original normalize: [] short: Unmodified original url as seen in the event source. - type: keyword + type: wildcard url.password: dashed_name: url-password description: Password of the request. @@ -9478,15 +9566,16 @@ url: short: Password of the request. type: keyword url.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path - ignore_above: 1024 level: extended name: path normalize: [] short: Path of the request, such as "/search". - type: keyword + type: wildcard url.port: dashed_name: url-port description: Port of the request, such as 443. @@ -9515,6 +9604,8 @@ url: short: Query string of the request. type: keyword url.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -9525,12 +9616,11 @@ url: the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: url.registered_domain - ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered url domain, stripped of the subdomain. - type: keyword + type: wildcard url.scheme: dashed_name: url-scheme description: 'Scheme of the request, such as "https". @@ -9616,22 +9706,24 @@ user: short: Name of the directory the user is a member of. type: keyword user.changes.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-changes-email description: User email address. flat_name: user.changes.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard user.changes.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-changes-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.changes.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.changes.full_name.text @@ -9642,7 +9734,7 @@ user: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard user.changes.group.domain: dashed_name: user-changes-group-domain description: 'Name of the directory the group is a member of. @@ -9705,11 +9797,12 @@ user: short: Unique identifier of the user. type: keyword user.changes.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-changes-name description: Short name or login of the user. example: albert flat_name: user.changes.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.changes.name.text @@ -9720,7 +9813,7 @@ user: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard user.changes.roles: dashed_name: user-changes-roles description: Array of user roles at the time of the event. @@ -9760,22 +9853,24 @@ user: short: Name of the directory the user is a member of. type: keyword user.effective.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-effective-email description: User email address. flat_name: user.effective.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard user.effective.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-effective-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.effective.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.effective.full_name.text @@ -9786,7 +9881,7 @@ user: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard user.effective.group.domain: dashed_name: user-effective-group-domain description: 'Name of the directory the group is a member of. @@ -9849,11 +9944,12 @@ user: short: Unique identifier of the user. type: keyword user.effective.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-effective-name description: Short name or login of the user. example: albert flat_name: user.effective.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.effective.name.text @@ -9864,7 +9960,7 @@ user: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard user.effective.roles: dashed_name: user-effective-roles description: Array of user roles at the time of the event. @@ -9879,21 +9975,23 @@ user: short: Array of user roles at the time of the event. type: keyword user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email - ignore_above: 1024 level: extended name: email normalize: [] short: User email address. - type: keyword + type: wildcard user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.full_name.text @@ -9903,7 +10001,7 @@ user: name: full_name normalize: [] short: User's full name, if available. - type: keyword + type: wildcard user.group.domain: dashed_name: user-group-domain description: 'Name of the directory the group is a member of. @@ -9964,11 +10062,12 @@ user: short: Unique identifier of the user. type: keyword user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert flat_name: user.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.name.text @@ -9978,7 +10077,7 @@ user: name: name normalize: [] short: Short name or login of the user. - type: keyword + type: wildcard user.roles: dashed_name: user-roles description: Array of user roles at the time of the event. @@ -10005,22 +10104,24 @@ user: short: Name of the directory the user is a member of. type: keyword user.target.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-target-email description: User email address. flat_name: user.target.email - ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: keyword + type: wildcard user.target.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-target-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.target.full_name - ignore_above: 1024 level: extended multi_fields: - flat_name: user.target.full_name.text @@ -10031,7 +10132,7 @@ user: normalize: [] original_fieldset: user short: User's full name, if available. - type: keyword + type: wildcard user.target.group.domain: dashed_name: user-target-group-domain description: 'Name of the directory the group is a member of. @@ -10094,11 +10195,12 @@ user: short: Unique identifier of the user. type: keyword user.target.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-target-name description: Short name or login of the user. example: albert flat_name: user.target.name - ignore_above: 1024 level: core multi_fields: - flat_name: user.target.name.text @@ -10109,7 +10211,7 @@ user: normalize: [] original_fieldset: user short: Short name or login of the user. - type: keyword + type: wildcard user.target.roles: dashed_name: user-target-roles description: Array of user roles at the time of the event. @@ -10208,12 +10310,13 @@ user_agent: short: Name of the user agent. type: keyword user_agent.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 flat_name: user_agent.original - ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.original.text @@ -10223,7 +10326,7 @@ user_agent: name: original normalize: [] short: Unparsed user_agent string. - type: keyword + type: wildcard user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -10237,11 +10340,12 @@ user_agent: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: user_agent.os.full - ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.os.full.text @@ -10252,7 +10356,7 @@ user_agent: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: keyword + type: wildcard user_agent.os.kernel: dashed_name: user-agent-os-kernel description: Operating system kernel version as a raw string. @@ -10266,11 +10370,12 @@ user_agent: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X flat_name: user_agent.os.name - ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.os.name.text @@ -10281,7 +10386,7 @@ user_agent: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: keyword + type: wildcard user_agent.os.platform: dashed_name: user-agent-os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -10647,17 +10752,18 @@ x509: short: List of country (C) codes type: keyword x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: x509.issuer.distinguished_name - ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] short: Distinguished name (DN) of issuing certificate authority. - type: keyword + type: wildcard x509.issuer.locality: dashed_name: x509-issuer-locality description: List of locality names (L) @@ -10822,16 +10928,17 @@ x509: short: List of country (C) code type: keyword x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: x509.subject.distinguished_name - ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] short: Distinguished name (DN) of the certificate subject entity. - type: keyword + type: wildcard x509.subject.locality: dashed_name: x509-subject-locality description: List of locality names (L) diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 4b94205762..98bf95f301 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -27,8 +27,7 @@ "build": { "properties": { "original": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -74,8 +73,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -85,8 +83,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -110,8 +107,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -147,8 +143,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -165,8 +160,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -175,8 +169,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -209,8 +202,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -331,8 +323,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -342,8 +333,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -367,8 +357,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -404,8 +393,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -422,8 +410,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -432,8 +419,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -466,8 +452,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -551,8 +536,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -571,8 +555,7 @@ "type": "keyword" }, "data": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "name": { "ignore_above": 1024, @@ -607,8 +590,7 @@ "type": "keyword" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "registered_domain": { "ignore_above": 1024, @@ -664,20 +646,16 @@ "type": "text" }, "stack_trace": { - "doc_values": false, "fields": { "text": { "norms": false, "type": "text" } }, - "ignore_above": 1024, - "index": false, - "type": "keyword" + "type": "wildcard" }, "type": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -819,8 +797,7 @@ "type": "keyword" }, "directory": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "drive_letter": { "ignore_above": 1, @@ -888,8 +865,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "pe": { "properties": { @@ -914,8 +890,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -933,8 +908,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "type": { "ignore_above": 1024, @@ -961,8 +935,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -1023,8 +996,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -1100,8 +1072,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -1114,8 +1085,7 @@ } }, "hostname": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "id": { "ignore_above": 1024, @@ -1145,8 +1115,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "kernel": { "ignore_above": 1024, @@ -1159,8 +1128,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "platform": { "ignore_above": 1024, @@ -1190,8 +1158,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -1200,8 +1167,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -1234,8 +1200,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -1261,8 +1226,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -1278,8 +1242,7 @@ "type": "keyword" }, "referrer": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -1297,8 +1260,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -1328,8 +1290,7 @@ "file": { "properties": { "path": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -1338,8 +1299,7 @@ "type": "keyword" }, "logger": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "origin": { "properties": { @@ -1537,8 +1497,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -1615,8 +1574,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "kernel": { "ignore_above": 1024, @@ -1629,8 +1587,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "platform": { "ignore_above": 1024, @@ -1681,8 +1638,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -1777,8 +1733,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "entity_id": { "ignore_above": 1024, @@ -1791,8 +1746,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "exit_code": { "type": "long" @@ -1824,8 +1778,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "parent": { "properties": { @@ -1864,8 +1817,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "entity_id": { "ignore_above": 1024, @@ -1878,8 +1830,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "exit_code": { "type": "long" @@ -1911,8 +1862,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "pe": { "properties": { @@ -1937,8 +1887,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -1964,8 +1913,7 @@ "type": "long" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -1976,8 +1924,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "uptime": { "type": "long" @@ -1989,8 +1936,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -2017,8 +1963,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -2044,8 +1989,7 @@ "type": "long" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -2056,8 +2000,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "uptime": { "type": "long" @@ -2069,8 +2012,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -2083,8 +2025,7 @@ "type": "keyword" }, "strings": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "type": { "ignore_above": 1024, @@ -2097,12 +2038,10 @@ "type": "keyword" }, "key": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "path": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "value": { "ignore_above": 1024, @@ -2193,8 +2132,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -2204,8 +2142,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -2229,8 +2166,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -2266,8 +2202,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -2284,8 +2219,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -2294,8 +2228,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -2328,8 +2261,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -2395,8 +2327,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -2406,8 +2337,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -2431,8 +2361,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -2468,8 +2397,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -2486,8 +2414,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -2496,8 +2423,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -2530,8 +2456,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -2654,8 +2579,7 @@ } }, "issuer": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "ja3": { "ignore_above": 1024, @@ -2672,8 +2596,7 @@ "type": "keyword" }, "subject": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "supported_ciphers": { "ignore_above": 1024, @@ -2696,8 +2619,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -2758,8 +2680,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -2828,8 +2749,7 @@ } }, "issuer": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "ja3s": { "ignore_above": 1024, @@ -2842,8 +2762,7 @@ "type": "date" }, "subject": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "x509": { "properties": { @@ -2862,8 +2781,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -2924,8 +2842,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -2982,8 +2899,7 @@ "url": { "properties": { "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "extension": { "ignore_above": 1024, @@ -3000,8 +2916,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "original": { "fields": { @@ -3010,16 +2925,14 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "password": { "ignore_above": 1024, "type": "keyword" }, "path": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "port": { "type": "long" @@ -3029,8 +2942,7 @@ "type": "keyword" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "scheme": { "ignore_above": 1024, @@ -3059,8 +2971,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -3069,8 +2980,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -3103,8 +3013,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -3123,8 +3032,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -3133,8 +3041,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -3167,8 +3074,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -3177,8 +3083,7 @@ } }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -3187,8 +3092,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -3221,8 +3125,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -3235,8 +3138,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -3245,8 +3147,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -3279,8 +3180,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -3311,8 +3211,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "os": { "properties": { @@ -3327,8 +3226,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "kernel": { "ignore_above": 1024, @@ -3341,8 +3239,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "platform": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/agent.json b/generated/elasticsearch/component/agent.json index c130016bbd..353ba82a15 100644 --- a/generated/elasticsearch/component/agent.json +++ b/generated/elasticsearch/component/agent.json @@ -11,8 +11,7 @@ "build": { "properties": { "original": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, diff --git a/generated/elasticsearch/component/client.json b/generated/elasticsearch/component/client.json index 5dde7cdb39..31e691aed1 100644 --- a/generated/elasticsearch/component/client.json +++ b/generated/elasticsearch/component/client.json @@ -26,8 +26,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -37,8 +36,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -62,8 +60,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -99,8 +96,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -117,8 +113,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -127,8 +122,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -161,8 +155,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/destination.json b/generated/elasticsearch/component/destination.json index 1a24a18e99..d9e445f419 100644 --- a/generated/elasticsearch/component/destination.json +++ b/generated/elasticsearch/component/destination.json @@ -26,8 +26,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -37,8 +36,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -62,8 +60,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -99,8 +96,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -117,8 +113,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -127,8 +122,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -161,8 +155,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json index e630a76c71..d1654a2995 100644 --- a/generated/elasticsearch/component/dll.json +++ b/generated/elasticsearch/component/dll.json @@ -80,8 +80,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/dns.json b/generated/elasticsearch/component/dns.json index 42d21fc551..15a736a4cf 100644 --- a/generated/elasticsearch/component/dns.json +++ b/generated/elasticsearch/component/dns.json @@ -15,8 +15,7 @@ "type": "keyword" }, "data": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "name": { "ignore_above": 1024, @@ -51,8 +50,7 @@ "type": "keyword" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "registered_domain": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/error.json b/generated/elasticsearch/component/error.json index d22a07231f..6ed08970ef 100644 --- a/generated/elasticsearch/component/error.json +++ b/generated/elasticsearch/component/error.json @@ -21,20 +21,16 @@ "type": "text" }, "stack_trace": { - "doc_values": false, "fields": { "text": { "norms": false, "type": "text" } }, - "ignore_above": 1024, - "index": false, - "type": "keyword" + "type": "wildcard" }, "type": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json index cf1324a4f2..073dc7959e 100644 --- a/generated/elasticsearch/component/file.json +++ b/generated/elasticsearch/component/file.json @@ -47,8 +47,7 @@ "type": "keyword" }, "directory": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "drive_letter": { "ignore_above": 1, @@ -116,8 +115,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "pe": { "properties": { @@ -142,8 +140,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -161,8 +158,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "type": { "ignore_above": 1024, @@ -189,8 +185,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -251,8 +246,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json index 3dbbb8e51a..de2b9925b0 100644 --- a/generated/elasticsearch/component/host.json +++ b/generated/elasticsearch/component/host.json @@ -38,8 +38,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -52,8 +51,7 @@ } }, "hostname": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "id": { "ignore_above": 1024, @@ -83,8 +81,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "kernel": { "ignore_above": 1024, @@ -97,8 +94,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "platform": { "ignore_above": 1024, @@ -128,8 +124,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -138,8 +133,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -172,8 +166,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/http.json b/generated/elasticsearch/component/http.json index 26b934b372..ee434bc3d3 100644 --- a/generated/elasticsearch/component/http.json +++ b/generated/elasticsearch/component/http.json @@ -22,8 +22,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -39,8 +38,7 @@ "type": "keyword" }, "referrer": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -58,8 +56,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, diff --git a/generated/elasticsearch/component/log.json b/generated/elasticsearch/component/log.json index b73467cc7b..79ac511fe0 100644 --- a/generated/elasticsearch/component/log.json +++ b/generated/elasticsearch/component/log.json @@ -11,8 +11,7 @@ "file": { "properties": { "path": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -21,8 +20,7 @@ "type": "keyword" }, "logger": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "origin": { "properties": { diff --git a/generated/elasticsearch/component/observer.json b/generated/elasticsearch/component/observer.json index a4678c7862..f7b5f2fd65 100644 --- a/generated/elasticsearch/component/observer.json +++ b/generated/elasticsearch/component/observer.json @@ -67,8 +67,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -145,8 +144,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "kernel": { "ignore_above": 1024, @@ -159,8 +157,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "platform": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/organization.json b/generated/elasticsearch/component/organization.json index 8f912778be..c00ed11538 100644 --- a/generated/elasticsearch/component/organization.json +++ b/generated/elasticsearch/component/organization.json @@ -19,8 +19,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json index 51f03ac672..472f0029fb 100644 --- a/generated/elasticsearch/component/process.json +++ b/generated/elasticsearch/component/process.json @@ -43,8 +43,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "entity_id": { "ignore_above": 1024, @@ -57,8 +56,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "exit_code": { "type": "long" @@ -90,8 +88,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "parent": { "properties": { @@ -130,8 +127,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "entity_id": { "ignore_above": 1024, @@ -144,8 +140,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "exit_code": { "type": "long" @@ -177,8 +172,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "pe": { "properties": { @@ -203,8 +197,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -230,8 +223,7 @@ "type": "long" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -242,8 +234,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "uptime": { "type": "long" @@ -255,8 +246,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -283,8 +273,7 @@ "type": "keyword" }, "original_file_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "product": { "ignore_above": 1024, @@ -310,8 +299,7 @@ "type": "long" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } }, @@ -322,8 +310,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "uptime": { "type": "long" @@ -335,8 +322,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } diff --git a/generated/elasticsearch/component/registry.json b/generated/elasticsearch/component/registry.json index f6dea3211e..db6a8c5ba2 100644 --- a/generated/elasticsearch/component/registry.json +++ b/generated/elasticsearch/component/registry.json @@ -15,8 +15,7 @@ "type": "keyword" }, "strings": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "type": { "ignore_above": 1024, @@ -29,12 +28,10 @@ "type": "keyword" }, "key": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "path": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "value": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/server.json b/generated/elasticsearch/component/server.json index 0d7e1a95ec..7a5940efb4 100644 --- a/generated/elasticsearch/component/server.json +++ b/generated/elasticsearch/component/server.json @@ -26,8 +26,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -37,8 +36,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -62,8 +60,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -99,8 +96,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -117,8 +113,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -127,8 +122,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -161,8 +155,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/source.json b/generated/elasticsearch/component/source.json index ae6db3d20f..ae2b85b106 100644 --- a/generated/elasticsearch/component/source.json +++ b/generated/elasticsearch/component/source.json @@ -26,8 +26,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" } } } @@ -37,8 +36,7 @@ "type": "long" }, "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "geo": { "properties": { @@ -62,8 +60,7 @@ "type": "geo_point" }, "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "region_iso_code": { "ignore_above": 1024, @@ -99,8 +96,7 @@ "type": "long" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "subdomain": { "ignore_above": 1024, @@ -117,8 +113,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -127,8 +122,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -161,8 +155,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/tls.json b/generated/elasticsearch/component/tls.json index 8eec703977..be3dd91253 100644 --- a/generated/elasticsearch/component/tls.json +++ b/generated/elasticsearch/component/tls.json @@ -39,8 +39,7 @@ } }, "issuer": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "ja3": { "ignore_above": 1024, @@ -57,8 +56,7 @@ "type": "keyword" }, "subject": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "supported_ciphers": { "ignore_above": 1024, @@ -81,8 +79,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -143,8 +140,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -213,8 +209,7 @@ } }, "issuer": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "ja3s": { "ignore_above": 1024, @@ -227,8 +222,7 @@ "type": "date" }, "subject": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "x509": { "properties": { @@ -247,8 +241,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, @@ -309,8 +302,7 @@ "type": "keyword" }, "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "locality": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/url.json b/generated/elasticsearch/component/url.json index 89cd68c6bd..c50ced4a7d 100644 --- a/generated/elasticsearch/component/url.json +++ b/generated/elasticsearch/component/url.json @@ -9,8 +9,7 @@ "url": { "properties": { "domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "extension": { "ignore_above": 1024, @@ -27,8 +26,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "original": { "fields": { @@ -37,16 +35,14 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "password": { "ignore_above": 1024, "type": "keyword" }, "path": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "port": { "type": "long" @@ -56,8 +52,7 @@ "type": "keyword" }, "registered_domain": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "scheme": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/user.json b/generated/elasticsearch/component/user.json index b9c0ca72c3..8a1a714414 100644 --- a/generated/elasticsearch/component/user.json +++ b/generated/elasticsearch/component/user.json @@ -15,8 +15,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -25,8 +24,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -59,8 +57,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -79,8 +76,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -89,8 +85,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -123,8 +118,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -133,8 +127,7 @@ } }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -143,8 +136,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -177,8 +169,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, @@ -191,8 +182,7 @@ "type": "keyword" }, "email": { - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "full_name": { "fields": { @@ -201,8 +191,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "group": { "properties": { @@ -235,8 +224,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/user_agent.json b/generated/elasticsearch/component/user_agent.json index 1dfe0dc08e..c45d126c48 100644 --- a/generated/elasticsearch/component/user_agent.json +++ b/generated/elasticsearch/component/user_agent.json @@ -27,8 +27,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "os": { "properties": { @@ -43,8 +42,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "kernel": { "ignore_above": 1024, @@ -57,8 +55,7 @@ "type": "text" } }, - "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "platform": { "ignore_above": 1024, diff --git a/schemas/agent.yml b/schemas/agent.yml index a7758e90ce..ada014aecb 100644 --- a/schemas/agent.yml +++ b/schemas/agent.yml @@ -24,8 +24,9 @@ - name: build.original level: core - type: keyword + type: wildcard short: Extended build information for the agent. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Extended build information for the agent. diff --git a/schemas/as.yml b/schemas/as.yml index 952d7febeb..0094a46a9a 100644 --- a/schemas/as.yml +++ b/schemas/as.yml @@ -29,7 +29,8 @@ - name: organization.name level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Organization name. example: Google LLC diff --git a/schemas/client.yml b/schemas/client.yml index e63ab70276..b61329316e 100644 --- a/schemas/client.yml +++ b/schemas/client.yml @@ -53,14 +53,16 @@ - name: domain level: core - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Client domain. - name: registered_domain level: extended - type: keyword + type: wildcard short: The highest registered client domain, stripped of the subdomain. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The highest registered client domain, stripped of the subdomain. diff --git a/schemas/destination.yml b/schemas/destination.yml index a1e91958f7..ab6979e346 100644 --- a/schemas/destination.yml +++ b/schemas/destination.yml @@ -48,13 +48,15 @@ - name: domain level: core - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Destination domain. - name: registered_domain level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. short: The highest registered destination domain, stripped of the subdomain. description: > The highest registered destination domain, stripped of the subdomain. diff --git a/schemas/dns.yml b/schemas/dns.yml index afe11a190a..220a723967 100644 --- a/schemas/dns.yml +++ b/schemas/dns.yml @@ -66,8 +66,9 @@ - name: question.name level: extended - type: keyword + type: wildcard short: The name being queried. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The name being queried. @@ -185,8 +186,9 @@ - name: answers.data level: extended - type: keyword + type: wildcard short: The data describing the resource. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The data describing the resource. diff --git a/schemas/error.yml b/schemas/error.yml index 7d96f09a4b..b1ae66f588 100644 --- a/schemas/error.yml +++ b/schemas/error.yml @@ -31,15 +31,16 @@ - name: type level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. example: java.lang.NullPointerException description: > The type of the error, for example the class name of the exception. - name: stack_trace level: extended - type: keyword - index: false + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The stack trace of this error in plain text. multi_fields: diff --git a/schemas/event.yml b/schemas/event.yml index 45128fcf4a..0edbf6b8de 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -590,7 +590,9 @@ Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be - searched, but it can be retrieved from `_source`. + searched, but it can be retrieved from `_source`. If users wish to + override this and index this field, consider using the wildcard + data type. index: false doc_values: false diff --git a/schemas/file.yml b/schemas/file.yml index 545b4661fa..419116c8da 100644 --- a/schemas/file.yml +++ b/schemas/file.yml @@ -33,8 +33,9 @@ - name: directory level: extended - type: keyword + type: wildcard short: Directory where the file is located. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Directory where the file is located. It should include the drive letter, when appropriate. @@ -53,8 +54,9 @@ - name: path level: extended - type: keyword + type: wildcard short: Full path to the file, including the file name. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Full path to the file, including the file name. It should include the drive letter, when appropriate. @@ -65,7 +67,8 @@ - name: target_path level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Target path for symlinks. multi_fields: - type: text diff --git a/schemas/geo.yml b/schemas/geo.yml index 347d60829e..a6654d982f 100644 --- a/schemas/geo.yml +++ b/schemas/geo.yml @@ -71,8 +71,9 @@ - name: name level: extended - type: keyword + type: wildcard short: User-defined description of a location. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > User-defined description of a location, at the level of granularity they care about. diff --git a/schemas/host.yml b/schemas/host.yml index 2fdbd9e4f7..f751d9b3ff 100644 --- a/schemas/host.yml +++ b/schemas/host.yml @@ -14,8 +14,9 @@ - name: hostname level: core - type: keyword + type: wildcard short: Hostname of the host. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Hostname of the host. diff --git a/schemas/http.yml b/schemas/http.yml index 9002408cab..f0ee23c53a 100644 --- a/schemas/http.yml +++ b/schemas/http.yml @@ -42,7 +42,8 @@ - name: request.body.content level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The full HTTP request body. example: Hello world @@ -52,7 +53,8 @@ - name: request.referrer level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Referrer for this HTTP request. example: https://blog.example.com/ @@ -81,7 +83,8 @@ - name: response.body.content level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The full HTTP response body. example: Hello world diff --git a/schemas/log.yml b/schemas/log.yml index fed4c063dd..991b9235a0 100644 --- a/schemas/log.yml +++ b/schemas/log.yml @@ -31,8 +31,9 @@ - name: file.path level: extended - type: keyword + type: wildcard short: Full path to the log file this event came from. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -63,9 +64,10 @@ - name: logger level: core - type: keyword + type: wildcard example: org.elasticsearch.bootstrap.Bootstrap short: Name of the logger. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. diff --git a/schemas/organization.yml b/schemas/organization.yml index dcd2358927..4eee9ce663 100644 --- a/schemas/organization.yml +++ b/schemas/organization.yml @@ -14,7 +14,8 @@ - name: name level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Organization name. multi_fields: diff --git a/schemas/os.yml b/schemas/os.yml index 8b8cfcdad7..9a93fd933b 100644 --- a/schemas/os.yml +++ b/schemas/os.yml @@ -36,8 +36,9 @@ - name: name level: extended - type: keyword + type: wildcard example: "Mac OS X" + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Operating system name, without the version. multi_fields: @@ -46,8 +47,9 @@ - name: full level: extended - type: keyword + type: wildcard example: "Mac OS Mojave" + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Operating system name, including the version or code name. multi_fields: diff --git a/schemas/pe.yml b/schemas/pe.yml index 126fb16136..8a7e2ddaf8 100644 --- a/schemas/pe.yml +++ b/schemas/pe.yml @@ -13,7 +13,8 @@ fields: - name: original_file_name level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE diff --git a/schemas/process.yml b/schemas/process.yml index 13ec63c07f..8c9661cebd 100644 --- a/schemas/process.yml +++ b/schemas/process.yml @@ -44,8 +44,9 @@ - name: name level: extended - type: keyword + type: wildcard short: Process name. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Process name. @@ -72,8 +73,9 @@ - name: command_line level: extended - type: keyword + type: wildcard short: Full command line that started the process. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -110,7 +112,8 @@ - name: executable level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Absolute path to the process executable. example: /usr/bin/ssh @@ -120,8 +123,9 @@ - name: title level: extended - type: keyword + type: wildcard short: Process title. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Process title. @@ -141,7 +145,8 @@ - name: thread.name level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. example: 'thread-0' description: > Thread name. @@ -162,8 +167,9 @@ - name: working_directory level: extended - type: keyword + type: wildcard example: /home/alice + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The working directory of the process. multi_fields: diff --git a/schemas/registry.yml b/schemas/registry.yml index bf8670d84e..576727087e 100644 --- a/schemas/registry.yml +++ b/schemas/registry.yml @@ -14,7 +14,8 @@ - name: key level: core - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -26,7 +27,8 @@ - name: path level: core - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger @@ -38,8 +40,9 @@ - name: data.strings level: core - type: keyword + type: wildcard short: List of strings representing what was written to the registry. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. example: '["C:\rta\red_ttp\bin\myapp.exe"]' description: > Content when writing string types. diff --git a/schemas/server.yml b/schemas/server.yml index 867b3bd03c..b8d6924696 100644 --- a/schemas/server.yml +++ b/schemas/server.yml @@ -53,13 +53,15 @@ - name: domain level: core - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Server domain. - name: registered_domain level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. short: The highest registered server domain, stripped of the subdomain. description: > The highest registered server domain, stripped of the subdomain. diff --git a/schemas/source.yml b/schemas/source.yml index 268b975312..581d5c062b 100644 --- a/schemas/source.yml +++ b/schemas/source.yml @@ -48,14 +48,16 @@ - name: domain level: core - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Source domain. - name: registered_domain level: extended - type: keyword + type: wildcard short: The highest registered source domain, stripped of the subdomain. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The highest registered source domain, stripped of the subdomain. diff --git a/schemas/tls.yml b/schemas/tls.yml index 3ecacb041a..781aafb66e 100644 --- a/schemas/tls.yml +++ b/schemas/tls.yml @@ -78,14 +78,16 @@ - array - name: client.subject - type: keyword + type: wildcard level: extended + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Distinguished name of subject of the x.509 certificate presented by the client. example: "CN=myclient, OU=Documentation Team, DC=example, DC=com" - name: client.issuer - type: keyword + type: wildcard level: extended + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com" @@ -157,14 +159,16 @@ example: 394441ab65754e2207b1e1b457b3641d - name: server.subject - type: keyword + type: wildcard level: extended + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Subject of the x.509 certificate presented by the server. example: "CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com" - name: server.issuer - type: keyword + type: wildcard level: extended + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Subject of the issuer of the x.509 certificate presented by the server. example: "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com" diff --git a/schemas/url.yml b/schemas/url.yml index 88a0278891..a264e59395 100644 --- a/schemas/url.yml +++ b/schemas/url.yml @@ -10,7 +10,8 @@ - name: original level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. short: Unmodified original url as seen in the event source. description: > Unmodified original url as seen in the event source. @@ -28,8 +29,9 @@ - name: full level: extended - type: keyword + type: wildcard short: Full unparsed URL. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the @@ -51,8 +53,9 @@ - name: domain level: extended - type: keyword + type: wildcard short: Domain of the url. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Domain of the url, such as "www.elastic.co". @@ -65,8 +68,9 @@ - name: registered_domain level: extended - type: keyword + type: wildcard short: The highest registered url domain, stripped of the subdomain. + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The highest registered url domain, stripped of the subdomain. @@ -116,7 +120,8 @@ - name: path level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Path of the request, such as "/search". diff --git a/schemas/user.yml b/schemas/user.yml index 0fe7a32411..6e010627cf 100644 --- a/schemas/user.yml +++ b/schemas/user.yml @@ -48,8 +48,9 @@ - name: name level: core - type: keyword + type: wildcard example: albert + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Short name or login of the user. multi_fields: @@ -58,7 +59,8 @@ - name: full_name level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. example: Albert Einstein description: > User's full name, if available. @@ -68,7 +70,8 @@ - name: email level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > User email address. diff --git a/schemas/user_agent.yml b/schemas/user_agent.yml index 9c18c20827..84388859cf 100644 --- a/schemas/user_agent.yml +++ b/schemas/user_agent.yml @@ -12,7 +12,8 @@ - name: original level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. multi_fields: - type: text name: text diff --git a/schemas/x509.yml b/schemas/x509.yml index 124551c96c..a36e8a91a1 100644 --- a/schemas/x509.yml +++ b/schemas/x509.yml @@ -37,7 +37,8 @@ - name: issuer.distinguished_name level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -113,7 +114,8 @@ - name: subject.distinguished_name level: extended - type: keyword + type: wildcard + beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/use-cases/auditbeat.md b/use-cases/auditbeat.md index dff825a597..15e2935a61 100644 --- a/use-cases/auditbeat.md +++ b/use-cases/auditbeat.md @@ -9,8 +9,8 @@ ECS usage in Auditbeat. |---|---|---|---|---| | [event.module](../README.md#event.module) | Auditbeat module name. | core | keyword | `apache` | | *file.** | *File attributes.
* | | | | -| [file.path](../README.md#file.path) | The path to the file. | extended | keyword | `/home/alice/example.png` | -| [file.target_path](../README.md#file.target_path) | The target path for symlinks. | extended | keyword | | +| [file.path](../README.md#file.path) | The path to the file. | extended | wildcard | `/home/alice/example.png` | +| [file.target_path](../README.md#file.target_path) | The target path for symlinks. | extended | wildcard | | | [file.type](../README.md#file.type) | The file type (file, dir, or symlink). | extended | keyword | `file` | | [file.device](../README.md#file.device) | The device. | extended | keyword | `sda` | | [file.inode](../README.md#file.inode) | The inode representing the file in the filesystem. | extended | keyword | `256383` | diff --git a/use-cases/filebeat-apache-access.md b/use-cases/filebeat-apache-access.md index a9ef41840f..293c2fb190 100644 --- a/use-cases/filebeat-apache-access.md +++ b/use-cases/filebeat-apache-access.md @@ -13,7 +13,7 @@ ECS fields used in Filebeat for the apache module. | [event.module](../README.md#event.module) | Currently fileset.module | core | keyword | `apache` | | [event.dataset](../README.md#event.dataset) | Currenly fileset.name | core | keyword | `access` | | [source.ip](../README.md#source.ip) | Source ip of the request. Currently apache.access.remote_ip | core | ip | `192.168.1.1` | -| [user.name](../README.md#user.name) | User name in the request. Currently apache.access.user_name | core | keyword | `ruflin` | +| [user.name](../README.md#user.name) | User name in the request. Currently apache.access.user_name | core | wildcard | `ruflin` | | *http.method* | *Http method, currently apache.access.method* | (use case) | keyword | `GET` | | *http.url* | *Http url, currently apache.access.url* | (use case) | keyword | `http://elastic.co/` | | [http.version](../README.md#http.version) | Http version, currently apache.access.http_version | extended | keyword | `1.1` | @@ -21,7 +21,7 @@ ECS fields used in Filebeat for the apache module. | *http.response.body_sent.bytes* | *Http response body bytes sent, currently apache.access.body_sent.bytes* | (use case) | long | `117` | | *http.referer* | *Http referrer code, currently apache.access.referrer
NOTE: In the RFC its misspell as referer and has become accepted standard* | (use case) | keyword | `http://elastic.co/` | | *user_agent.** | *User agent fields as in schema. Currently under apache.access.user_agent.*
* | | | | -| [user_agent.original](../README.md#user_agent.original) | Original user agent. Currently apache.access.agent | extended | keyword | `http://elastic.co/` | +| [user_agent.original](../README.md#user_agent.original) | Original user agent. Currently apache.access.agent | extended | wildcard | `http://elastic.co/` | | *geoip.** | *User agent fields as in schema. Currently under apache.access.geoip.*
These are extracted from source.ip
Should they be under source.geoip?
* | | | | | *geoip....* | *All geoip fields.* | (use case) | keyword | | diff --git a/use-cases/kubernetes.md b/use-cases/kubernetes.md index 5588da6060..057ed289cb 100644 --- a/use-cases/kubernetes.md +++ b/use-cases/kubernetes.md @@ -10,7 +10,7 @@ You can monitor containers running in a Kubernetes cluster by adding Kubernetes- |---|---|---|---|---| | [container.id](../README.md#container.id) | Unique container id. | core | keyword | `fdbef803fa2b` | | [container.name](../README.md#container.name) | Container name. | extended | keyword | | -| [host.hostname](../README.md#host.hostname) | Hostname of the host.
It normally contains what the `hostname` command returns on the host machine. | core | keyword | `kube-high-cpu-42` | +| [host.hostname](../README.md#host.hostname) | Hostname of the host.
It normally contains what the `hostname` command returns on the host machine. | core | wildcard | `kube-high-cpu-42` | | *kubernetes.pod.name* | *Kubernetes pod name* | (use case) | keyword | `foo-webserver` | | *kubernetes.namespace* | *Kubernetes namespace* | (use case) | keyword | `foo-team` | | *kubernetes.labels* | *Kubernetes labels map* | (use case) | object | | diff --git a/use-cases/metricbeat.md b/use-cases/metricbeat.md index c573a7897e..79b3369efd 100644 --- a/use-cases/metricbeat.md +++ b/use-cases/metricbeat.md @@ -21,7 +21,7 @@ ECS fields used Metricbeat. | *error.** | *Error namespace
Use for errors which can happen during fetching information for a service.
* | | | | | [error.message](../README.md#error.message) | Error message returned by the service during fetching metrics. | core | text | | | [error.code](../README.md#error.code) | Error code returned by the service during fetching metrics. | core | keyword | | -| [host.hostname](../README.md#host.hostname) | Hostname of the system metricbeat is running on or user defined name. | core | keyword | | +| [host.hostname](../README.md#host.hostname) | Hostname of the system metricbeat is running on or user defined name. | core | wildcard | | | *host.timezone.offset.sec* | *Timezone offset of the host in seconds.* | (use case) | long | | | [host.id](../README.md#host.id) | Unique host id. | core | keyword | | | [event.module](../README.md#event.module) | Name of the module this data is coming from. | core | keyword | `mysql` | diff --git a/use-cases/web-logs.md b/use-cases/web-logs.md index 57f9a96062..d70944b48c 100644 --- a/use-cases/web-logs.md +++ b/use-cases/web-logs.md @@ -12,12 +12,12 @@ Using the fields as represented here is not expected to conflict with ECS, but m | [@timestamp](../README.md#@timestamp) | Time at which the response was sent, and the web server log created. | core | date | `2016-05-23T08:05:34.853Z` | | *http.** | *Fields related to HTTP requests and responses.
* | | | | | [http.request.method](../README.md#http.request.method) | Http request method. | extended | keyword | `GET, POST, PUT` | -| [http.request.referrer](../README.md#http.request.referrer) | Referrer for this HTTP request. | extended | keyword | `https://blog.example.com/` | +| [http.request.referrer](../README.md#http.request.referrer) | Referrer for this HTTP request. | extended | wildcard | `https://blog.example.com/` | | [http.response.status_code](../README.md#http.response.status_code) | Http response status code. | extended | long | `404` | -| [http.response.body.content](../README.md#http.response.body.content) | The full http response body. | extended | keyword | `Hello world` | +| [http.response.body.content](../README.md#http.response.body.content) | The full http response body. | extended | wildcard | `Hello world` | | [http.version](../README.md#http.version) | Http version. | extended | keyword | `1.1` | | *user_agent.** | *The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
* | | | | -| [user_agent.original](../README.md#user_agent.original) | Unparsed version of the user_agent. | extended | keyword | `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1` | +| [user_agent.original](../README.md#user_agent.original) | Unparsed version of the user_agent. | extended | wildcard | `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1` | | *user_agent.device* | *Name of the physical device.* | (use case) | keyword | | | [user_agent.version](../README.md#user_agent.version) | Version of the physical device. | extended | keyword | `12.0` | | *user_agent.major* | *Major version of the user agent.* | (use case) | long | | From 78573516a15cd183d35727a85bdca71ce57ed553 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Mon, 14 Dec 2020 13:48:24 -0600 Subject: [PATCH 60/90] [1.x] Conditional handling in es_template.template_settings (#1191) (#1192) --- scripts/generators/es_template.py | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/scripts/generators/es_template.py b/scripts/generators/es_template.py index fb45800dce..386fd6e49b 100644 --- a/scripts/generators/es_template.py +++ b/scripts/generators/es_template.py @@ -198,17 +198,23 @@ def template_settings(es_version, ecs_version, mappings_section, template_settin es6_type_fallback(mappings_section['properties']) # error.stack_trace needs special handling to set - # index: false and doc_values: false - error_stack_trace_mappings = mappings_section['properties']['error']['properties']['stack_trace'] - error_stack_trace_mappings.setdefault('index', False) - error_stack_trace_mappings.setdefault('doc_values', False) + # index: false and doc_values: false if the field + # is present in the mappings + try: + error_stack_trace_mappings = mappings_section['properties']['error']['properties']['stack_trace'] + error_stack_trace_mappings.setdefault('index', False) + error_stack_trace_mappings.setdefault('doc_values', False) + except KeyError: + pass template['mappings'] = {'_doc': mappings_section} else: template['mappings'] = mappings_section # _meta can't be at template root in legacy templates, so moving back to mappings section - mappings_section['_meta'] = template.pop('_meta') + # if present + if '_meta' in template: + mappings_section['_meta'] = template.pop('_meta') return template From e2fef1be074de13970c9d8a2dafcf30b15cc4368 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 15 Dec 2020 13:17:49 -0600 Subject: [PATCH 61/90] [1.x] Artifacts docs page (#1189) (#1195) --- CHANGELOG.next.md | 1 + docs/additional.asciidoc | 2 ++ docs/artifacts.asciidoc | 6 ++++++ docs/index.asciidoc | 2 ++ docs/using-conventions.asciidoc | 2 +- 5 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 docs/artifacts.asciidoc diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 8ca8f9e915..265e88ebf8 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -53,6 +53,7 @@ Thanks, you're awesome :-) --> * Added a notice highlighting that the `tracing` fields are not nested under the namespace `tracing.` #1162 * ES 6.x template data types will fallback to supported types. #1171, #1176, #1186 +* Add a documentation page discussing the experimental artifacts. #1189 #### Deprecated diff --git a/docs/additional.asciidoc b/docs/additional.asciidoc index d42bcfbeec..f6796174d8 100644 --- a/docs/additional.asciidoc +++ b/docs/additional.asciidoc @@ -4,8 +4,10 @@ * <> * <> * <> +* <> // include::use-cases.asciidoc[] include::faq.asciidoc[] include::glossary.asciidoc[] include::contributing.asciidoc[] +include::artifacts.asciidoc[] diff --git a/docs/artifacts.asciidoc b/docs/artifacts.asciidoc new file mode 100644 index 0000000000..77df53de17 --- /dev/null +++ b/docs/artifacts.asciidoc @@ -0,0 +1,6 @@ +[[ecs-artifacts]] +=== Generated Artifacts + +ECS maintains a collection of artifacts which are generated based on the schema. Examples include Elasticsearch index templates, CSV, and Beats field mappings. The maintained artifacts can be found in the {ecs_github_repo_link}/generated#artifacts-generated-from-ecs[ECS Github repo]. + +Users can generate custom versions of these artifacts using the ECS project's tooling. See the tooling {ecs_github_repo_link}/USAGE.md[usage documentation] for more detail. diff --git a/docs/index.asciidoc b/docs/index.asciidoc index 198abfce07..8141abcec7 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -5,6 +5,8 @@ include::{asciidoc-dir}/../../shared/versions/stack/current.asciidoc[] include::{asciidoc-dir}/../../shared/attributes.asciidoc[] +:ecs_github_repo_link: https://github.com/elastic/ecs/blob/master + [[ecs-reference]] == Overview diff --git a/docs/using-conventions.asciidoc b/docs/using-conventions.asciidoc index 2972a0df68..f321b26765 100644 --- a/docs/using-conventions.asciidoc +++ b/docs/using-conventions.asciidoc @@ -42,7 +42,7 @@ Elasticsearch can index text using datatypes: ===== Default Elasticsearch convention for indexing text fields Unless your index mapping or index template specifies otherwise -(as the ECS index template does), +(as the <> does), Elasticsearch indexes a text field as `text` at the canonical field name, and indexes a second time as `keyword`, nested in a multi-field. From 82adfee1dc016927c4e8a7e9a7bd4da02f090fb7 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 15 Dec 2020 13:29:58 -0600 Subject: [PATCH 62/90] [1.x] Remove beta warning label from categorization fields docs (#1067) (#1196) --- CHANGELOG.next.md | 1 + docs/field-values.asciidoc | 27 --------------------------- scripts/templates/field_values.j2 | 12 ------------ 3 files changed, 1 insertion(+), 39 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 265e88ebf8..e314547d31 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -24,6 +24,7 @@ Thanks, you're awesome :-) --> #### Improvements +* Event categorization fields GA. #1067 * Note `[` and `]` bracket characters may enclose a literal IPv6 address when populating `url.domain`. #1131 #### Deprecated diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index 6f3adc1c26..2ff082fd3f 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -2,13 +2,6 @@ [[ecs-category-field-values-reference]] == {ecs} Categorization Fields -WARNING: This section of ECS is in beta and is subject to change. These allowed values -are still under active development. Additional values will be published gradually, -and some of the values or relationships described here may change. -Users who want to provide feedback, or who want to have a look at -upcoming allowed values can visit this public feedback document -https://ela.st/ecs-categories-draft. - At a high level, ECS provides fields to classify events in two different ways: "Where it's from" (e.g., `event.module`, `event.dataset`, `agent.type`, `observer.type`, etc.), and "What it is." The categorization fields hold the "What it is" information, @@ -38,11 +31,6 @@ This is one of four ECS Categorization Fields, and indicates the highest level i The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. -WARNING: After the beta period for categorization, only the allowed categorization -values listed in the ECS repository and official ECS documentation should be considered -official. Use of any other values may result in incompatible implementations -that will require subsequent breaking changes. - *Allowed Values* * <> @@ -125,11 +113,6 @@ This is one of four ECS Categorization Fields, and indicates the second level in This field is an array. This will allow proper categorization of some events that fall in multiple categories. -WARNING: After the beta period for categorization, only the allowed categorization -values listed in the ECS repository and official ECS documentation should be considered -official. Use of any other values may result in incompatible implementations -that will require subsequent breaking changes. - *Allowed Values* * <> @@ -345,11 +328,6 @@ This is one of four ECS Categorization Fields, and indicates the third level in This field is an array. This will allow proper categorization of some events that fall in multiple event types. -WARNING: After the beta period for categorization, only the allowed categorization -values listed in the ECS repository and official ECS documentation should be considered -official. Use of any other values may result in incompatible implementations -that will require subsequent breaking changes. - *Allowed Values* * <> @@ -510,11 +488,6 @@ Also note that in the case of a compound event (a single event that contains mul Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. -WARNING: After the beta period for categorization, only the allowed categorization -values listed in the ECS repository and official ECS documentation should be considered -official. Use of any other values may result in incompatible implementations -that will require subsequent breaking changes. - *Allowed Values* * <> diff --git a/scripts/templates/field_values.j2 b/scripts/templates/field_values.j2 index 1ee2ab9890..4789c00e09 100644 --- a/scripts/templates/field_values.j2 +++ b/scripts/templates/field_values.j2 @@ -2,13 +2,6 @@ [[ecs-category-field-values-reference]] == {ecs} Categorization Fields -WARNING: This section of ECS is in beta and is subject to change. These allowed values -are still under active development. Additional values will be published gradually, -and some of the values or relationships described here may change. -Users who want to provide feedback, or who want to have a look at -upcoming allowed values can visit this public feedback document -https://ela.st/ecs-categories-draft. - At a high level, ECS provides fields to classify events in two different ways: "Where it's from" (e.g., `event.module`, `event.dataset`, `agent.type`, `observer.type`, etc.), and "What it is." The categorization fields hold the "What it is" information, @@ -34,11 +27,6 @@ once the appropriate categorization values are published, in a later release. {{ field['description']|replace("\n", "\n\n") }} -WARNING: After the beta period for categorization, only the allowed categorization -values listed in the ECS repository and official ECS documentation should be considered -official. Use of any other values may result in incompatible implementations -that will require subsequent breaking changes. - *Allowed Values* {% for value_details in field['allowed_values'] %} * <> From 2ae684e2762b1aa8022c597d53021cb4f7c2fcfe Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 15 Dec 2020 13:42:54 -0600 Subject: [PATCH 63/90] [1.x] Correct wording of `event.reference` description (#1181) (#1197) --- CHANGELOG.next.md | 2 ++ code/go/ecs/event.go | 2 +- docs/field-details.asciidoc | 2 +- experimental/generated/beats/fields.ecs.yml | 2 +- experimental/generated/ecs/ecs_flat.yml | 4 ++-- experimental/generated/ecs/ecs_nested.yml | 2 +- generated/beats/fields.ecs.yml | 2 +- generated/ecs/ecs_flat.yml | 4 ++-- generated/ecs/ecs_nested.yml | 2 +- schemas/event.yml | 2 +- 10 files changed, 13 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index e314547d31..d85ec4c97a 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -14,6 +14,8 @@ Thanks, you're awesome :-) --> #### Bugfixes +* Clean up `event.reference` description. #1181 + #### Added * Added `event.category` "registry". #1040 diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go index 1dfdf696c4..4cced17b76 100644 --- a/code/go/ecs/event.go +++ b/code/go/ecs/event.go @@ -199,7 +199,7 @@ type Event struct { Ingested time.Time `ecs:"ingested"` // Reference URL linking to additional information about this event. - // This URL links to a static definition of the this event. Alert events, + // This URL links to a static definition of this event. Alert events, // indicated by `event.kind:alert`, are a common use case for this field. Reference string `ecs:"reference"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 90fec37b2b..73bc4467d3 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -2164,7 +2164,7 @@ example: `Terminated an unexpected process` | Reference URL linking to additional information about this event. -This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 9a58688014..3d103d3883 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1392,7 +1392,7 @@ ignore_above: 1024 description: 'Reference URL linking to additional information about this event. - This URL links to a static definition of the this event. Alert events, indicated + This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.' example: https://system.example.com/event/#0001234 default_field: false diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 8997fffccf..f98d8b95ce 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -2183,8 +2183,8 @@ event.reference: dashed_name: event-reference description: 'Reference URL linking to additional information about this event. - This URL links to a static definition of the this event. Alert events, indicated - by `event.kind:alert`, are a common use case for this field.' + This URL links to a static definition of this event. Alert events, indicated by + `event.kind:alert`, are a common use case for this field.' example: https://system.example.com/event/#0001234 flat_name: event.reference ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 6d1a832021..97acbc2459 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2587,7 +2587,7 @@ event: dashed_name: event-reference description: 'Reference URL linking to additional information about this event. - This URL links to a static definition of the this event. Alert events, indicated + This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.' example: https://system.example.com/event/#0001234 flat_name: event.reference diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index d7bb24c1bd..1f06a65a1a 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1392,7 +1392,7 @@ ignore_above: 1024 description: 'Reference URL linking to additional information about this event. - This URL links to a static definition of the this event. Alert events, indicated + This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.' example: https://system.example.com/event/#0001234 default_field: false diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 0c6e8374cf..7e7347eba8 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2183,8 +2183,8 @@ event.reference: dashed_name: event-reference description: 'Reference URL linking to additional information about this event. - This URL links to a static definition of the this event. Alert events, indicated - by `event.kind:alert`, are a common use case for this field.' + This URL links to a static definition of this event. Alert events, indicated by + `event.kind:alert`, are a common use case for this field.' example: https://system.example.com/event/#0001234 flat_name: event.reference ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 50c4915485..47cd8526ef 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2587,7 +2587,7 @@ event: dashed_name: event-reference description: 'Reference URL linking to additional information about this event. - This URL links to a static definition of the this event. Alert events, indicated + This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.' example: https://system.example.com/event/#0001234 flat_name: event.reference diff --git a/schemas/event.yml b/schemas/event.yml index 0edbf6b8de..3e4aaf4627 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -714,7 +714,7 @@ description: > Reference URL linking to additional information about this event. - This URL links to a static definition of the this event. + This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. example: "https://system.example.com/event/#0001234" From cd6778c22be879ca14d50a2e75772a54aa70e519 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 15 Dec 2020 15:34:07 -0600 Subject: [PATCH 64/90] Bump version to 1.9.0-dev in branch 1.x (#1198) --- code/go/ecs/version.go | 2 +- docs/fields.asciidoc | 2 +- docs/index.asciidoc | 2 +- experimental/generated/beats/fields.ecs.yml | 2 +- experimental/generated/csv/fields.csv | 1460 ++++++++--------- .../generated/elasticsearch/7/template.json | 2 +- .../elasticsearch/component/agent.json | 2 +- .../elasticsearch/component/base.json | 2 +- .../elasticsearch/component/client.json | 2 +- .../elasticsearch/component/cloud.json | 2 +- .../elasticsearch/component/container.json | 2 +- .../elasticsearch/component/destination.json | 2 +- .../elasticsearch/component/dll.json | 2 +- .../elasticsearch/component/dns.json | 2 +- .../elasticsearch/component/ecs.json | 2 +- .../elasticsearch/component/error.json | 2 +- .../elasticsearch/component/event.json | 2 +- .../elasticsearch/component/file.json | 2 +- .../elasticsearch/component/group.json | 2 +- .../elasticsearch/component/host.json | 2 +- .../elasticsearch/component/http.json | 2 +- .../elasticsearch/component/log.json | 2 +- .../elasticsearch/component/network.json | 2 +- .../elasticsearch/component/observer.json | 2 +- .../elasticsearch/component/organization.json | 2 +- .../elasticsearch/component/package.json | 2 +- .../elasticsearch/component/process.json | 2 +- .../elasticsearch/component/registry.json | 2 +- .../elasticsearch/component/related.json | 2 +- .../elasticsearch/component/rule.json | 2 +- .../elasticsearch/component/server.json | 2 +- .../elasticsearch/component/service.json | 2 +- .../elasticsearch/component/source.json | 2 +- .../elasticsearch/component/threat.json | 2 +- .../elasticsearch/component/tls.json | 2 +- .../elasticsearch/component/tracing.json | 2 +- .../elasticsearch/component/url.json | 2 +- .../elasticsearch/component/user.json | 2 +- .../elasticsearch/component/user_agent.json | 2 +- .../component/vulnerability.json | 2 +- .../generated/elasticsearch/template.json | 70 +- generated/beats/fields.ecs.yml | 2 +- generated/csv/fields.csv | 1446 ++++++++-------- generated/elasticsearch/6/template.json | 2 +- generated/elasticsearch/7/template.json | 2 +- generated/elasticsearch/component/agent.json | 2 +- generated/elasticsearch/component/base.json | 2 +- generated/elasticsearch/component/client.json | 2 +- generated/elasticsearch/component/cloud.json | 2 +- .../elasticsearch/component/container.json | 2 +- .../elasticsearch/component/destination.json | 2 +- generated/elasticsearch/component/dll.json | 2 +- generated/elasticsearch/component/dns.json | 2 +- generated/elasticsearch/component/ecs.json | 2 +- generated/elasticsearch/component/error.json | 2 +- generated/elasticsearch/component/event.json | 2 +- generated/elasticsearch/component/file.json | 2 +- generated/elasticsearch/component/group.json | 2 +- generated/elasticsearch/component/host.json | 2 +- generated/elasticsearch/component/http.json | 2 +- generated/elasticsearch/component/log.json | 2 +- .../elasticsearch/component/network.json | 2 +- .../elasticsearch/component/observer.json | 2 +- .../elasticsearch/component/organization.json | 2 +- .../elasticsearch/component/package.json | 2 +- .../elasticsearch/component/process.json | 2 +- .../elasticsearch/component/registry.json | 2 +- .../elasticsearch/component/related.json | 2 +- generated/elasticsearch/component/rule.json | 2 +- generated/elasticsearch/component/server.json | 2 +- .../elasticsearch/component/service.json | 2 +- generated/elasticsearch/component/source.json | 2 +- generated/elasticsearch/component/threat.json | 2 +- generated/elasticsearch/component/tls.json | 2 +- .../elasticsearch/component/tracing.json | 2 +- generated/elasticsearch/component/url.json | 2 +- generated/elasticsearch/component/user.json | 2 +- .../elasticsearch/component/user_agent.json | 2 +- .../component/vulnerability.json | 2 +- generated/elasticsearch/template.json | 70 +- version | 2 +- 81 files changed, 1600 insertions(+), 1600 deletions(-) diff --git a/code/go/ecs/version.go b/code/go/ecs/version.go index 0921192cae..6aba04736b 100644 --- a/code/go/ecs/version.go +++ b/code/go/ecs/version.go @@ -20,4 +20,4 @@ package ecs // Version is the Elastic Common Schema version from which this was generated. -const Version = "1.8.0-dev" +const Version = "1.9.0-dev" diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index bb07676dcb..3d6f8fa662 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -2,7 +2,7 @@ [[ecs-field-reference]] == {ecs} Field Reference -This is the documentation of ECS version 1.8.0-dev. +This is the documentation of ECS version 1.9.0-dev. ECS defines multiple groups of related fields. They are called "field sets". The <> field set is the only one whose fields are defined diff --git a/docs/index.asciidoc b/docs/index.asciidoc index 8141abcec7..58a21f5124 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -10,7 +10,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[] [[ecs-reference]] == Overview -This is the documentation of ECS version 1.8.0-dev. +This is the documentation of ECS version 1.9.0-dev. [float] === What is ECS? diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 3d103d3883..02da5c2ee4 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.8.0-dev+exp. +# based on ECS version 1.9.0-dev+exp. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 1912a88568..b5efd516c7 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1,731 +1,731 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -1.8.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -1.8.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -1.8.0-dev+exp,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. -1.8.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -1.8.0-dev+exp,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -1.8.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -1.8.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -1.8.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -1.8.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -1.8.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -1.8.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address. -1.8.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev+exp,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.8.0-dev+exp,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.8.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -1.8.0-dev+exp,true,client,client.domain,wildcard,core,,,Client domain. -1.8.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev+exp,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client. -1.8.0-dev+exp,true,client,client.mac,keyword,core,,,MAC address of the client. -1.8.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -1.8.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port -1.8.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -1.8.0-dev+exp,true,client,client.port,long,core,,,Port of the client. -1.8.0-dev+exp,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -1.8.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. -1.8.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev+exp,true,client,client.user.email,wildcard,extended,,,User email address. -1.8.0-dev+exp,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev+exp,true,client,client.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev+exp,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. -1.8.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. -1.8.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. -1.8.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -1.8.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. -1.8.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -1.8.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. -1.8.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. -1.8.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. -1.8.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. -1.8.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id. -1.8.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. -1.8.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags. -1.8.0-dev+exp,true,container,container.labels,object,extended,,,Image labels. -1.8.0-dev+exp,true,container,container.name,keyword,extended,,,Container name. -1.8.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. -1.8.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address. -1.8.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev+exp,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.8.0-dev+exp,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.8.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -1.8.0-dev+exp,true,destination,destination.domain,wildcard,core,,,Destination domain. -1.8.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev+exp,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination. -1.8.0-dev+exp,true,destination,destination.mac,keyword,core,,,MAC address of the destination. -1.8.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -1.8.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -1.8.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -1.8.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination. -1.8.0-dev+exp,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -1.8.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. -1.8.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev+exp,true,destination,destination.user.email,wildcard,extended,,,User email address. -1.8.0-dev+exp,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev+exp,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev+exp,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.8.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.8.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.8.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.8.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. -1.8.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. -1.8.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. -1.8.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. -1.8.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. -1.8.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.8.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.8.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.8.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.8.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.8.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.8.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers. -1.8.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -1.8.0-dev+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. -1.8.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. -1.8.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. -1.8.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -1.8.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. -1.8.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -1.8.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. -1.8.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -1.8.0-dev+exp,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. -1.8.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." -1.8.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. -1.8.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -1.8.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data -1.8.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. -1.8.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." -1.8.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -1.8.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error. -1.8.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error. -1.8.0-dev+exp,true,error,error.message,text,core,,,Error message. -1.8.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. -1.8.0-dev+exp,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. -1.8.0-dev+exp,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -1.8.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -1.8.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -1.8.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event. -1.8.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -1.8.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -1.8.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -1.8.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -1.8.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -1.8.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -1.8.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -1.8.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -1.8.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -1.8.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -1.8.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -1.8.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event. -1.8.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -1.8.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -1.8.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -1.8.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -1.8.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event. -1.8.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event. -1.8.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -1.8.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone. -1.8.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -1.8.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -1.8.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed. -1.8.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -1.8.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.8.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.8.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.8.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.8.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev+exp,true,file,file.created,date,extended,,,File creation time. -1.8.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. -1.8.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -1.8.0-dev+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. -1.8.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -1.8.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -1.8.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -1.8.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. -1.8.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. -1.8.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. -1.8.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. -1.8.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -1.8.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -1.8.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. -1.8.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified. -1.8.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -1.8.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username. -1.8.0-dev+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.8.0-dev+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.8.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.8.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.8.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.8.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.8.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.8.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.8.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes. -1.8.0-dev+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. -1.8.0-dev+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks. -1.8.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -1.8.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -1.8.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.8.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.8.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.8.0-dev+exp,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.8.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.8.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.8.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.8.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.8.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.8.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.8.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.8.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.8.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.8.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.8.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.8.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.8.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.8.0-dev+exp,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.8.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.8.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.8.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.8.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. -1.8.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group. -1.8.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. -1.8.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." -1.8.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. -1.8.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. -1.8.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -1.8.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev+exp,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host. -1.8.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id. -1.8.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses. -1.8.0-dev+exp,true,host,host.mac,keyword,core,array,,Host mac addresses. -1.8.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host. -1.8.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. -1.8.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. -1.8.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. -1.8.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. -1.8.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.8.0-dev+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.8.0-dev+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.8.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." -1.8.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.8.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. -1.8.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. -1.8.0-dev+exp,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev+exp,true,host,host.user.email,wildcard,extended,,,User email address. -1.8.0-dev+exp,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev+exp,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev+exp,true,host,host.user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev+exp,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev+exp,true,host,host.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev+exp,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -1.8.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. -1.8.0-dev+exp,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. -1.8.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -1.8.0-dev+exp,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. -1.8.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -1.8.0-dev+exp,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. -1.8.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -1.8.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. -1.8.0-dev+exp,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. -1.8.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -1.8.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. -1.8.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -1.8.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version. -1.8.0-dev+exp,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. -1.8.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event. -1.8.0-dev+exp,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -1.8.0-dev+exp,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. -1.8.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. -1.8.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. -1.8.0-dev+exp,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." -1.8.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata -1.8.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. -1.8.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. -1.8.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. -1.8.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. -1.8.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. -1.8.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name. -1.8.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -1.8.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -1.8.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -1.8.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -1.8.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -1.8.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information -1.8.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.8.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.8.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -1.8.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -1.8.0-dev+exp,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. -1.8.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -1.8.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -1.8.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.8.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.8.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information -1.8.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias -1.8.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID -1.8.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name -1.8.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.8.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.8.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone -1.8.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev+exp,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. -1.8.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information -1.8.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias -1.8.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID -1.8.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name -1.8.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.8.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.8.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone -1.8.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -1.8.0-dev+exp,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer -1.8.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -1.8.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.8.0-dev+exp,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev+exp,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.8.0-dev+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.8.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." -1.8.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.8.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. -1.8.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. -1.8.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. -1.8.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. -1.8.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version. -1.8.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -1.8.0-dev+exp,true,organization,organization.name,wildcard,extended,,,Organization name. -1.8.0-dev+exp,true,organization,organization.name.text,text,extended,,,Organization name. -1.8.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. -1.8.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -1.8.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -1.8.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. -1.8.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." -1.8.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed. -1.8.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license -1.8.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name -1.8.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -1.8.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL -1.8.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes. -1.8.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type -1.8.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version -1.8.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -1.8.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. -1.8.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.8.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.8.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.8.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.8.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.8.0-dev+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.8.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.8.0-dev+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.8.0-dev+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.8.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process. -1.8.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash. -1.8.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. -1.8.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. -1.8.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev+exp,true,process,process.name,wildcard,extended,,ssh,Process name. -1.8.0-dev+exp,true,process,process.name.text,text,extended,,ssh,Process name. -1.8.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -1.8.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -1.8.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.8.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.8.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.8.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.8.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.8.0-dev+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.8.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.8.0-dev+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.8.0-dev+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.8.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. -1.8.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. -1.8.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. -1.8.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. -1.8.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name. -1.8.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name. -1.8.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.8.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.8.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.8.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.8.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.8.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.8.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.8.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. -1.8.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. -1.8.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.8.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -1.8.0-dev+exp,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. -1.8.0-dev+exp,true,process,process.parent.title,wildcard,extended,,,Process title. -1.8.0-dev+exp,true,process,process.parent.title.text,text,extended,,,Process title. -1.8.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -1.8.0-dev+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -1.8.0-dev+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.8.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.8.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.8.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.8.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.8.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.8.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.8.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.8.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. -1.8.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid. -1.8.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.8.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID. -1.8.0-dev+exp,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. -1.8.0-dev+exp,true,process,process.title,wildcard,extended,,,Process title. -1.8.0-dev+exp,true,process,process.title.text,text,extended,,,Process title. -1.8.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -1.8.0-dev+exp,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -1.8.0-dev+exp,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.8.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -1.8.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -1.8.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -1.8.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -1.8.0-dev+exp,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -1.8.0-dev+exp,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -1.8.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. -1.8.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. -1.8.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. -1.8.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -1.8.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names seen on your event. -1.8.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author -1.8.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category -1.8.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description -1.8.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID -1.8.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license -1.8.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name -1.8.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -1.8.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset -1.8.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID -1.8.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version -1.8.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address. -1.8.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev+exp,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.8.0-dev+exp,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.8.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -1.8.0-dev+exp,true,server,server.domain,wildcard,core,,,Server domain. -1.8.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev+exp,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server. -1.8.0-dev+exp,true,server,server.mac,keyword,core,,,MAC address of the server. -1.8.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip -1.8.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port -1.8.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -1.8.0-dev+exp,true,server,server.port,long,core,,,Port of the server. -1.8.0-dev+exp,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -1.8.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. -1.8.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev+exp,true,server,server.user.email,wildcard,extended,,,User email address. -1.8.0-dev+exp,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev+exp,true,server,server.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev+exp,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -1.8.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -1.8.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. -1.8.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. -1.8.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service. -1.8.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service. -1.8.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service. -1.8.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address. -1.8.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev+exp,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.8.0-dev+exp,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.8.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -1.8.0-dev+exp,true,source,source.domain,wildcard,core,,,Source domain. -1.8.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev+exp,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source. -1.8.0-dev+exp,true,source,source.mac,keyword,core,,,MAC address of the source. -1.8.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip -1.8.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port -1.8.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -1.8.0-dev+exp,true,source,source.port,long,core,,,Port of the source. -1.8.0-dev+exp,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -1.8.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. -1.8.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev+exp,true,source,source.user.email,wildcard,extended,,,User email address. -1.8.0-dev+exp,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev+exp,true,source,source.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev+exp,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -1.8.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -1.8.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. -1.8.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. -1.8.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. -1.8.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. -1.8.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. -1.8.0-dev+exp,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. -1.8.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. -1.8.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. -1.8.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. -1.8.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. -1.8.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. -1.8.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -1.8.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -1.8.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. -1.8.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. -1.8.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. -1.8.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -1.8.0-dev+exp,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -1.8.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -1.8.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -1.8.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -1.8.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -1.8.0-dev+exp,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -1.8.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. -1.8.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.8.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.8.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.8.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.8.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.8.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.8.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.8.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.8.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.8.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.8.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.8.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.8.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.8.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.8.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.8.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.8.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.8.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.8.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.8.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.8.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.8.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. -1.8.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." -1.8.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -1.8.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. -1.8.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -1.8.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -1.8.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. -1.8.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. -1.8.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. -1.8.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -1.8.0-dev+exp,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -1.8.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -1.8.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -1.8.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -1.8.0-dev+exp,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. -1.8.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.8.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.8.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.8.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.8.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.8.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.8.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.8.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.8.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.8.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.8.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.8.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.8.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.8.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.8.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.8.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.8.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.8.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.8.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.8.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.8.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.8.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. -1.8.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. -1.8.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. -1.8.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -1.8.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -1.8.0-dev+exp,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. -1.8.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -1.8.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -1.8.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.8.0-dev+exp,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.8.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.8.0-dev+exp,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.8.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request. -1.8.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -1.8.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -1.8.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request. -1.8.0-dev+exp,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -1.8.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -1.8.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. -1.8.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request. -1.8.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev+exp,true,user,user.changes.email,wildcard,extended,,,User email address. -1.8.0-dev+exp,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group. -1.8.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev+exp,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev+exp,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev+exp,true,user,user.effective.email,wildcard,extended,,,User email address. -1.8.0-dev+exp,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group. -1.8.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev+exp,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev+exp,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev+exp,true,user,user.email,wildcard,extended,,,User email address. -1.8.0-dev+exp,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev+exp,true,user,user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev+exp,true,user,user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,user,user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev+exp,true,user,user.target.email,wildcard,extended,,,User email address. -1.8.0-dev+exp,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group. -1.8.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev+exp,true,user,user.target.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev+exp,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -1.8.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -1.8.0-dev+exp,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.8.0-dev+exp,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.8.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.8.0-dev+exp,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev+exp,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.8.0-dev+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.8.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." -1.8.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.8.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. -1.8.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. -1.8.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. -1.8.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.8.0-dev+exp,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.8.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. -1.8.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. -1.8.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -1.8.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. -1.8.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. -1.8.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. -1.8.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. -1.8.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. -1.8.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. -1.8.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +1.9.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +1.9.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +1.9.0-dev+exp,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. +1.9.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +1.9.0-dev+exp,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +1.9.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +1.9.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +1.9.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +1.9.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +1.9.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +1.9.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address. +1.9.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0-dev+exp,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0-dev+exp,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +1.9.0-dev+exp,true,client,client.domain,wildcard,core,,,Client domain. +1.9.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +1.9.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0-dev+exp,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client. +1.9.0-dev+exp,true,client,client.mac,keyword,core,,,MAC address of the client. +1.9.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +1.9.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port +1.9.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +1.9.0-dev+exp,true,client,client.port,long,core,,,Port of the client. +1.9.0-dev+exp,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +1.9.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev+exp,true,client,client.user.email,wildcard,extended,,,User email address. +1.9.0-dev+exp,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group. +1.9.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev+exp,true,client,client.user.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev+exp,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +1.9.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +1.9.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. +1.9.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +1.9.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +1.9.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +1.9.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +1.9.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +1.9.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +1.9.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +1.9.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id. +1.9.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +1.9.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags. +1.9.0-dev+exp,true,container,container.labels,object,extended,,,Image labels. +1.9.0-dev+exp,true,container,container.name,keyword,extended,,,Container name. +1.9.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +1.9.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address. +1.9.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0-dev+exp,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0-dev+exp,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +1.9.0-dev+exp,true,destination,destination.domain,wildcard,core,,,Destination domain. +1.9.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +1.9.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0-dev+exp,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination. +1.9.0-dev+exp,true,destination,destination.mac,keyword,core,,,MAC address of the destination. +1.9.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +1.9.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +1.9.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +1.9.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination. +1.9.0-dev+exp,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +1.9.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev+exp,true,destination,destination.user.email,wildcard,extended,,,User email address. +1.9.0-dev+exp,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +1.9.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev+exp,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev+exp,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +1.9.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +1.9.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +1.9.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers. +1.9.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +1.9.0-dev+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. +1.9.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +1.9.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +1.9.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +1.9.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +1.9.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +1.9.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +1.9.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +1.9.0-dev+exp,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. +1.9.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +1.9.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +1.9.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +1.9.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +1.9.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +1.9.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +1.9.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +1.9.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error. +1.9.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error. +1.9.0-dev+exp,true,error,error.message,text,core,,,Error message. +1.9.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +1.9.0-dev+exp,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +1.9.0-dev+exp,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +1.9.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +1.9.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +1.9.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event. +1.9.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +1.9.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +1.9.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +1.9.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +1.9.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +1.9.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +1.9.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +1.9.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +1.9.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +1.9.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +1.9.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +1.9.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event. +1.9.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +1.9.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +1.9.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +1.9.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +1.9.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event. +1.9.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event. +1.9.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +1.9.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone. +1.9.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +1.9.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +1.9.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed. +1.9.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.9.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0-dev+exp,true,file,file.created,date,extended,,,File creation time. +1.9.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.9.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +1.9.0-dev+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +1.9.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.9.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +1.9.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.9.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +1.9.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +1.9.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.9.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +1.9.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.9.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified. +1.9.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.9.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username. +1.9.0-dev+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.9.0-dev+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.9.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes. +1.9.0-dev+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. +1.9.0-dev+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks. +1.9.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.9.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.9.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.9.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.9.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.9.0-dev+exp,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.9.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.9.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.9.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.9.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.9.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.9.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.9.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.9.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.9.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.9.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.9.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.9.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.9.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.9.0-dev+exp,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.9.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.9.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.9.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.9.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +1.9.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group. +1.9.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +1.9.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +1.9.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +1.9.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +1.9.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +1.9.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +1.9.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0-dev+exp,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host. +1.9.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id. +1.9.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses. +1.9.0-dev+exp,true,host,host.mac,keyword,core,array,,Host mac addresses. +1.9.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host. +1.9.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +1.9.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +1.9.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +1.9.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. +1.9.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.9.0-dev+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0-dev+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.9.0-dev+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.9.0-dev+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.9.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.9.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +1.9.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.9.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. +1.9.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +1.9.0-dev+exp,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev+exp,true,host,host.user.email,wildcard,extended,,,User email address. +1.9.0-dev+exp,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev+exp,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev+exp,true,host,host.user.group.name,keyword,extended,,,Name of the group. +1.9.0-dev+exp,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev+exp,true,host,host.user.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev+exp,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +1.9.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. +1.9.0-dev+exp,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. +1.9.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +1.9.0-dev+exp,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. +1.9.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +1.9.0-dev+exp,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. +1.9.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +1.9.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. +1.9.0-dev+exp,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. +1.9.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +1.9.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +1.9.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +1.9.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version. +1.9.0-dev+exp,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +1.9.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event. +1.9.0-dev+exp,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +1.9.0-dev+exp,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. +1.9.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +1.9.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +1.9.0-dev+exp,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." +1.9.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata +1.9.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +1.9.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +1.9.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +1.9.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +1.9.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +1.9.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name. +1.9.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +1.9.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +1.9.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +1.9.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +1.9.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +1.9.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information +1.9.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +1.9.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +1.9.0-dev+exp,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. +1.9.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +1.9.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +1.9.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information +1.9.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +1.9.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +1.9.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +1.9.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +1.9.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +1.9.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0-dev+exp,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +1.9.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information +1.9.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +1.9.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +1.9.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +1.9.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +1.9.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +1.9.0-dev+exp,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer +1.9.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +1.9.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.9.0-dev+exp,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0-dev+exp,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.9.0-dev+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.9.0-dev+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.9.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.9.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +1.9.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.9.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +1.9.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +1.9.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +1.9.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +1.9.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version. +1.9.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +1.9.0-dev+exp,true,organization,organization.name,wildcard,extended,,,Organization name. +1.9.0-dev+exp,true,organization,organization.name.text,text,extended,,,Organization name. +1.9.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +1.9.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +1.9.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +1.9.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +1.9.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +1.9.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed. +1.9.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +1.9.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name +1.9.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +1.9.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +1.9.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes. +1.9.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type +1.9.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version +1.9.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.9.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. +1.9.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0-dev+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.9.0-dev+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0-dev+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process. +1.9.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +1.9.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev+exp,true,process,process.name,wildcard,extended,,ssh,Process name. +1.9.0-dev+exp,true,process,process.name.text,text,extended,,ssh,Process name. +1.9.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.9.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +1.9.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0-dev+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.9.0-dev+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0-dev+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +1.9.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +1.9.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name. +1.9.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name. +1.9.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.9.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. +1.9.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. +1.9.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.9.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +1.9.0-dev+exp,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. +1.9.0-dev+exp,true,process,process.parent.title,wildcard,extended,,,Process title. +1.9.0-dev+exp,true,process,process.parent.title.text,text,extended,,,Process title. +1.9.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +1.9.0-dev+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +1.9.0-dev+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.9.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.9.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. +1.9.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid. +1.9.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.9.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID. +1.9.0-dev+exp,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. +1.9.0-dev+exp,true,process,process.title,wildcard,extended,,,Process title. +1.9.0-dev+exp,true,process,process.title.text,text,extended,,,Process title. +1.9.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +1.9.0-dev+exp,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +1.9.0-dev+exp,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.9.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.9.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.9.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.9.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.9.0-dev+exp,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.9.0-dev+exp,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.9.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +1.9.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +1.9.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +1.9.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +1.9.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names seen on your event. +1.9.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +1.9.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +1.9.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +1.9.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID +1.9.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +1.9.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +1.9.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +1.9.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +1.9.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +1.9.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version +1.9.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address. +1.9.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0-dev+exp,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0-dev+exp,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +1.9.0-dev+exp,true,server,server.domain,wildcard,core,,,Server domain. +1.9.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +1.9.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0-dev+exp,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server. +1.9.0-dev+exp,true,server,server.mac,keyword,core,,,MAC address of the server. +1.9.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip +1.9.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port +1.9.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +1.9.0-dev+exp,true,server,server.port,long,core,,,Port of the server. +1.9.0-dev+exp,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +1.9.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev+exp,true,server,server.user.email,wildcard,extended,,,User email address. +1.9.0-dev+exp,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group. +1.9.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev+exp,true,server,server.user.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev+exp,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +1.9.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +1.9.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +1.9.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +1.9.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service. +1.9.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +1.9.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service. +1.9.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address. +1.9.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0-dev+exp,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0-dev+exp,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +1.9.0-dev+exp,true,source,source.domain,wildcard,core,,,Source domain. +1.9.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +1.9.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0-dev+exp,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source. +1.9.0-dev+exp,true,source,source.mac,keyword,core,,,MAC address of the source. +1.9.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip +1.9.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port +1.9.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +1.9.0-dev+exp,true,source,source.port,long,core,,,Port of the source. +1.9.0-dev+exp,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +1.9.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev+exp,true,source,source.user.email,wildcard,extended,,,User email address. +1.9.0-dev+exp,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group. +1.9.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev+exp,true,source,source.user.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev+exp,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +1.9.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +1.9.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +1.9.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +1.9.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +1.9.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +1.9.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +1.9.0-dev+exp,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. +1.9.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +1.9.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +1.9.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +1.9.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. +1.9.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +1.9.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +1.9.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +1.9.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +1.9.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +1.9.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +1.9.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +1.9.0-dev+exp,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +1.9.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +1.9.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +1.9.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +1.9.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +1.9.0-dev+exp,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +1.9.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +1.9.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.9.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.9.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.9.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.9.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.9.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.9.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.9.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.9.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.9.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.9.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.9.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.9.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.9.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.9.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.9.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.9.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.9.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.9.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.9.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.9.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.9.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +1.9.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +1.9.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +1.9.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +1.9.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +1.9.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +1.9.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +1.9.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +1.9.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +1.9.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +1.9.0-dev+exp,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +1.9.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +1.9.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +1.9.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +1.9.0-dev+exp,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +1.9.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.9.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.9.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.9.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.9.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.9.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.9.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.9.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.9.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.9.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.9.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.9.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.9.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.9.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.9.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.9.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.9.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.9.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.9.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.9.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.9.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.9.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +1.9.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +1.9.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +1.9.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +1.9.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +1.9.0-dev+exp,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. +1.9.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +1.9.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +1.9.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.9.0-dev+exp,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.9.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.9.0-dev+exp,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.9.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request. +1.9.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +1.9.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +1.9.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request. +1.9.0-dev+exp,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.9.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +1.9.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request. +1.9.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev+exp,true,user,user.changes.email,wildcard,extended,,,User email address. +1.9.0-dev+exp,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +1.9.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev+exp,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev+exp,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev+exp,true,user,user.effective.email,wildcard,extended,,,User email address. +1.9.0-dev+exp,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +1.9.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev+exp,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev+exp,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev+exp,true,user,user.email,wildcard,extended,,,User email address. +1.9.0-dev+exp,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group. +1.9.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev+exp,true,user,user.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev+exp,true,user,user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,user,user.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev+exp,true,user,user.target.email,wildcard,extended,,,User email address. +1.9.0-dev+exp,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group. +1.9.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev+exp,true,user,user.target.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev+exp,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +1.9.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +1.9.0-dev+exp,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.9.0-dev+exp,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.9.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.9.0-dev+exp,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0-dev+exp,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.9.0-dev+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.9.0-dev+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.9.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.9.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +1.9.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.9.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +1.9.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +1.9.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +1.9.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.9.0-dev+exp,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.9.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +1.9.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +1.9.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +1.9.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +1.9.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +1.9.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +1.9.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +1.9.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +1.9.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +1.9.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 0fe6ffed2b..029aa451f3 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -4,7 +4,7 @@ ], "mappings": { "_meta": { - "version": "1.8.0-dev+exp" + "version": "1.9.0-dev+exp" }, "date_detection": false, "dynamic_templates": [ diff --git a/experimental/generated/elasticsearch/component/agent.json b/experimental/generated/elasticsearch/component/agent.json index fb5c48723d..2ee628913a 100644 --- a/experimental/generated/elasticsearch/component/agent.json +++ b/experimental/generated/elasticsearch/component/agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/base.json b/experimental/generated/elasticsearch/component/base.json index f99eeef699..d02df1ef01 100644 --- a/experimental/generated/elasticsearch/component/base.json +++ b/experimental/generated/elasticsearch/component/base.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/client.json b/experimental/generated/elasticsearch/component/client.json index 15ddc75390..bb1003070f 100644 --- a/experimental/generated/elasticsearch/component/client.json +++ b/experimental/generated/elasticsearch/component/client.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/cloud.json b/experimental/generated/elasticsearch/component/cloud.json index ff7311dafe..52f33efb8c 100644 --- a/experimental/generated/elasticsearch/component/cloud.json +++ b/experimental/generated/elasticsearch/component/cloud.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/container.json b/experimental/generated/elasticsearch/component/container.json index 8141acb5b2..f8c4f440af 100644 --- a/experimental/generated/elasticsearch/component/container.json +++ b/experimental/generated/elasticsearch/component/container.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/destination.json b/experimental/generated/elasticsearch/component/destination.json index 3b26ce3896..be3448e658 100644 --- a/experimental/generated/elasticsearch/component/destination.json +++ b/experimental/generated/elasticsearch/component/destination.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json index da68f2d771..7491296fa2 100644 --- a/experimental/generated/elasticsearch/component/dll.json +++ b/experimental/generated/elasticsearch/component/dll.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/dns.json b/experimental/generated/elasticsearch/component/dns.json index 5060df8227..4b1544f730 100644 --- a/experimental/generated/elasticsearch/component/dns.json +++ b/experimental/generated/elasticsearch/component/dns.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/ecs.json b/experimental/generated/elasticsearch/component/ecs.json index 244cf87db4..201b6c8afa 100644 --- a/experimental/generated/elasticsearch/component/ecs.json +++ b/experimental/generated/elasticsearch/component/ecs.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/error.json b/experimental/generated/elasticsearch/component/error.json index 4423a3a84c..1a78f012f5 100644 --- a/experimental/generated/elasticsearch/component/error.json +++ b/experimental/generated/elasticsearch/component/error.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/event.json b/experimental/generated/elasticsearch/component/event.json index 42a982b4bf..023b3609e4 100644 --- a/experimental/generated/elasticsearch/component/event.json +++ b/experimental/generated/elasticsearch/component/event.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json index 5c1b4b6057..58379893c1 100644 --- a/experimental/generated/elasticsearch/component/file.json +++ b/experimental/generated/elasticsearch/component/file.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/group.json b/experimental/generated/elasticsearch/component/group.json index f310f5c103..af27bad40e 100644 --- a/experimental/generated/elasticsearch/component/group.json +++ b/experimental/generated/elasticsearch/component/group.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/host.json b/experimental/generated/elasticsearch/component/host.json index 72a4bf410b..f5645b0920 100644 --- a/experimental/generated/elasticsearch/component/host.json +++ b/experimental/generated/elasticsearch/component/host.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/http.json b/experimental/generated/elasticsearch/component/http.json index 5de0e679a7..b2284df25e 100644 --- a/experimental/generated/elasticsearch/component/http.json +++ b/experimental/generated/elasticsearch/component/http.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/log.json b/experimental/generated/elasticsearch/component/log.json index 81228a61ff..0781701d8e 100644 --- a/experimental/generated/elasticsearch/component/log.json +++ b/experimental/generated/elasticsearch/component/log.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/network.json b/experimental/generated/elasticsearch/component/network.json index c2730e72d0..e77b7b3980 100644 --- a/experimental/generated/elasticsearch/component/network.json +++ b/experimental/generated/elasticsearch/component/network.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/observer.json b/experimental/generated/elasticsearch/component/observer.json index ad34d29bbe..bc53052962 100644 --- a/experimental/generated/elasticsearch/component/observer.json +++ b/experimental/generated/elasticsearch/component/observer.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/organization.json b/experimental/generated/elasticsearch/component/organization.json index 6af7d5ac6f..00a4d1a501 100644 --- a/experimental/generated/elasticsearch/component/organization.json +++ b/experimental/generated/elasticsearch/component/organization.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/package.json b/experimental/generated/elasticsearch/component/package.json index af4633e8a4..12913eecc9 100644 --- a/experimental/generated/elasticsearch/component/package.json +++ b/experimental/generated/elasticsearch/component/package.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json index e082f76b26..9fad9bcc0c 100644 --- a/experimental/generated/elasticsearch/component/process.json +++ b/experimental/generated/elasticsearch/component/process.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/registry.json b/experimental/generated/elasticsearch/component/registry.json index 96ced2ea54..1eb688adec 100644 --- a/experimental/generated/elasticsearch/component/registry.json +++ b/experimental/generated/elasticsearch/component/registry.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/related.json b/experimental/generated/elasticsearch/component/related.json index c1ab9d53bd..498b911430 100644 --- a/experimental/generated/elasticsearch/component/related.json +++ b/experimental/generated/elasticsearch/component/related.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/rule.json b/experimental/generated/elasticsearch/component/rule.json index b41de85270..c93278e7cd 100644 --- a/experimental/generated/elasticsearch/component/rule.json +++ b/experimental/generated/elasticsearch/component/rule.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/server.json b/experimental/generated/elasticsearch/component/server.json index 088a8834c9..16cd5781f8 100644 --- a/experimental/generated/elasticsearch/component/server.json +++ b/experimental/generated/elasticsearch/component/server.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/service.json b/experimental/generated/elasticsearch/component/service.json index 406a1b6035..e4567b3636 100644 --- a/experimental/generated/elasticsearch/component/service.json +++ b/experimental/generated/elasticsearch/component/service.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/source.json b/experimental/generated/elasticsearch/component/source.json index 34b49ff5ac..43edaf2f09 100644 --- a/experimental/generated/elasticsearch/component/source.json +++ b/experimental/generated/elasticsearch/component/source.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json index fc11a704d4..1a7e47a34b 100644 --- a/experimental/generated/elasticsearch/component/threat.json +++ b/experimental/generated/elasticsearch/component/threat.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/tls.json b/experimental/generated/elasticsearch/component/tls.json index b408cc9ef1..340e30449a 100644 --- a/experimental/generated/elasticsearch/component/tls.json +++ b/experimental/generated/elasticsearch/component/tls.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/tracing.json b/experimental/generated/elasticsearch/component/tracing.json index 93d265526a..8efefe3463 100644 --- a/experimental/generated/elasticsearch/component/tracing.json +++ b/experimental/generated/elasticsearch/component/tracing.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/url.json b/experimental/generated/elasticsearch/component/url.json index 7c9d8e0f5b..29f8ee9338 100644 --- a/experimental/generated/elasticsearch/component/url.json +++ b/experimental/generated/elasticsearch/component/url.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/user.json b/experimental/generated/elasticsearch/component/user.json index b06e2205dd..85fa6d4f9e 100644 --- a/experimental/generated/elasticsearch/component/user.json +++ b/experimental/generated/elasticsearch/component/user.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/user_agent.json b/experimental/generated/elasticsearch/component/user_agent.json index 90d6220b01..a336ce44ed 100644 --- a/experimental/generated/elasticsearch/component/user_agent.json +++ b/experimental/generated/elasticsearch/component/user_agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/vulnerability.json b/experimental/generated/elasticsearch/component/vulnerability.json index 9b1b6c0289..a287339ab1 100644 --- a/experimental/generated/elasticsearch/component/vulnerability.json +++ b/experimental/generated/elasticsearch/component/vulnerability.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/template.json b/experimental/generated/elasticsearch/template.json index 44ea72094d..b8f252c020 100644 --- a/experimental/generated/elasticsearch/template.json +++ b/experimental/generated/elasticsearch/template.json @@ -1,43 +1,43 @@ { "_meta": { "description": "Sample composable template that includes all ECS fields", - "ecs_version": "1.8.0-dev+exp" + "ecs_version": "1.9.0-dev+exp" }, "composed_of": [ - "ecs_1.8.0-dev-exp_agent", - "ecs_1.8.0-dev-exp_base", - "ecs_1.8.0-dev-exp_client", - "ecs_1.8.0-dev-exp_cloud", - "ecs_1.8.0-dev-exp_container", - "ecs_1.8.0-dev-exp_destination", - "ecs_1.8.0-dev-exp_dll", - "ecs_1.8.0-dev-exp_dns", - "ecs_1.8.0-dev-exp_ecs", - "ecs_1.8.0-dev-exp_error", - "ecs_1.8.0-dev-exp_event", - "ecs_1.8.0-dev-exp_file", - "ecs_1.8.0-dev-exp_group", - "ecs_1.8.0-dev-exp_host", - "ecs_1.8.0-dev-exp_http", - "ecs_1.8.0-dev-exp_log", - "ecs_1.8.0-dev-exp_network", - "ecs_1.8.0-dev-exp_observer", - "ecs_1.8.0-dev-exp_organization", - "ecs_1.8.0-dev-exp_package", - "ecs_1.8.0-dev-exp_process", - "ecs_1.8.0-dev-exp_registry", - "ecs_1.8.0-dev-exp_related", - "ecs_1.8.0-dev-exp_rule", - "ecs_1.8.0-dev-exp_server", - "ecs_1.8.0-dev-exp_service", - "ecs_1.8.0-dev-exp_source", - "ecs_1.8.0-dev-exp_threat", - "ecs_1.8.0-dev-exp_tls", - "ecs_1.8.0-dev-exp_tracing", - "ecs_1.8.0-dev-exp_url", - "ecs_1.8.0-dev-exp_user", - "ecs_1.8.0-dev-exp_user_agent", - "ecs_1.8.0-dev-exp_vulnerability" + "ecs_1.9.0-dev-exp_agent", + "ecs_1.9.0-dev-exp_base", + "ecs_1.9.0-dev-exp_client", + "ecs_1.9.0-dev-exp_cloud", + "ecs_1.9.0-dev-exp_container", + "ecs_1.9.0-dev-exp_destination", + "ecs_1.9.0-dev-exp_dll", + "ecs_1.9.0-dev-exp_dns", + "ecs_1.9.0-dev-exp_ecs", + "ecs_1.9.0-dev-exp_error", + "ecs_1.9.0-dev-exp_event", + "ecs_1.9.0-dev-exp_file", + "ecs_1.9.0-dev-exp_group", + "ecs_1.9.0-dev-exp_host", + "ecs_1.9.0-dev-exp_http", + "ecs_1.9.0-dev-exp_log", + "ecs_1.9.0-dev-exp_network", + "ecs_1.9.0-dev-exp_observer", + "ecs_1.9.0-dev-exp_organization", + "ecs_1.9.0-dev-exp_package", + "ecs_1.9.0-dev-exp_process", + "ecs_1.9.0-dev-exp_registry", + "ecs_1.9.0-dev-exp_related", + "ecs_1.9.0-dev-exp_rule", + "ecs_1.9.0-dev-exp_server", + "ecs_1.9.0-dev-exp_service", + "ecs_1.9.0-dev-exp_source", + "ecs_1.9.0-dev-exp_threat", + "ecs_1.9.0-dev-exp_tls", + "ecs_1.9.0-dev-exp_tracing", + "ecs_1.9.0-dev-exp_url", + "ecs_1.9.0-dev-exp_user", + "ecs_1.9.0-dev-exp_user_agent", + "ecs_1.9.0-dev-exp_vulnerability" ], "index_patterns": [ "try-ecs-*" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 1f06a65a1a..55bf39366c 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.8.0-dev. +# based on ECS version 1.9.0-dev. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 374aec3e21..87ca4a70d3 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -1,724 +1,724 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -1.8.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -1.8.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -1.8.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. -1.8.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -1.8.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -1.8.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -1.8.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -1.8.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -1.8.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -1.8.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -1.8.0-dev,true,client,client.address,keyword,extended,,,Client network address. -1.8.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.8.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.8.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -1.8.0-dev,true,client,client.domain,wildcard,core,,,Client domain. -1.8.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev,true,client,client.ip,ip,core,,,IP address of the client. -1.8.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. -1.8.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -1.8.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port -1.8.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -1.8.0-dev,true,client,client.port,long,core,,,Port of the client. -1.8.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -1.8.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. -1.8.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,client,client.user.email,wildcard,extended,,,User email address. -1.8.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. -1.8.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. -1.8.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. -1.8.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -1.8.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. -1.8.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -1.8.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. -1.8.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. -1.8.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. -1.8.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. -1.8.0-dev,true,container,container.id,keyword,core,,,Unique container id. -1.8.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. -1.8.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. -1.8.0-dev,true,container,container.labels,object,extended,,,Image labels. -1.8.0-dev,true,container,container.name,keyword,extended,,,Container name. -1.8.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. -1.8.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. -1.8.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.8.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.8.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -1.8.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain. -1.8.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. -1.8.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. -1.8.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -1.8.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -1.8.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -1.8.0-dev,true,destination,destination.port,long,core,,,Port of the destination. -1.8.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -1.8.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. -1.8.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address. -1.8.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.8.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.8.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.8.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.8.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. -1.8.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. -1.8.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. -1.8.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. -1.8.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. -1.8.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.8.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.8.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.8.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.8.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.8.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.8.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. -1.8.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -1.8.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. -1.8.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. -1.8.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. -1.8.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -1.8.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. -1.8.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -1.8.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. -1.8.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -1.8.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. -1.8.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." -1.8.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. -1.8.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -1.8.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data -1.8.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. -1.8.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." -1.8.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -1.8.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. -1.8.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. -1.8.0-dev,true,error,error.message,text,core,,,Error message. -1.8.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. -1.8.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. -1.8.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -1.8.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -1.8.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -1.8.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. -1.8.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -1.8.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -1.8.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -1.8.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -1.8.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -1.8.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -1.8.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -1.8.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -1.8.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -1.8.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -1.8.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -1.8.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. -1.8.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -1.8.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -1.8.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -1.8.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -1.8.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. -1.8.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. -1.8.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -1.8.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. -1.8.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -1.8.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -1.8.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. -1.8.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -1.8.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.8.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.8.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.8.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.8.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev,true,file,file.created,date,extended,,,File creation time. -1.8.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. -1.8.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -1.8.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. -1.8.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -1.8.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -1.8.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -1.8.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. -1.8.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. -1.8.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. -1.8.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. -1.8.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -1.8.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -1.8.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. -1.8.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. -1.8.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -1.8.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. -1.8.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.8.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.8.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.8.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.8.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.8.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.8.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.8.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.8.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. -1.8.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. -1.8.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. -1.8.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -1.8.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -1.8.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.8.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.8.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.8.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.8.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.8.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.8.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.8.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.8.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.8.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.8.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.8.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.8.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.8.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.8.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.8.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.8.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.8.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.8.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.8.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.8.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.8.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. -1.8.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,group,group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. -1.8.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -1.8.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host. -1.8.0-dev,true,host,host.id,keyword,core,,,Unique host id. -1.8.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. -1.8.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. -1.8.0-dev,true,host,host.name,keyword,core,,,Name of the host. -1.8.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.8.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.8.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.8.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." -1.8.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.8.0-dev,true,host,host.type,keyword,core,,,Type of host. -1.8.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. -1.8.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,host,host.user.email,wildcard,extended,,,User email address. -1.8.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -1.8.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. -1.8.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. -1.8.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -1.8.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. -1.8.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -1.8.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. -1.8.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -1.8.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. -1.8.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. -1.8.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -1.8.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. -1.8.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -1.8.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. -1.8.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. -1.8.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. -1.8.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -1.8.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. -1.8.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. -1.8.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. -1.8.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." -1.8.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata -1.8.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. -1.8.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. -1.8.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. -1.8.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. -1.8.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. -1.8.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. -1.8.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -1.8.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -1.8.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -1.8.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -1.8.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -1.8.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information -1.8.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.8.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.8.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -1.8.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -1.8.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. -1.8.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -1.8.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -1.8.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.8.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.8.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information -1.8.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias -1.8.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID -1.8.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name -1.8.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.8.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.8.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone -1.8.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. -1.8.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information -1.8.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias -1.8.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID -1.8.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name -1.8.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.8.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.8.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone -1.8.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -1.8.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer -1.8.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -1.8.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.8.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.8.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.8.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." -1.8.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.8.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. -1.8.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. -1.8.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. -1.8.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. -1.8.0-dev,true,observer,observer.version,keyword,core,,,Observer version. -1.8.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -1.8.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name. -1.8.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. -1.8.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. -1.8.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -1.8.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -1.8.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. -1.8.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." -1.8.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. -1.8.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license -1.8.0-dev,true,package,package.name,keyword,extended,,go,Package name -1.8.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -1.8.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL -1.8.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. -1.8.0-dev,true,package,package.type,keyword,extended,,rpm,Package type -1.8.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version -1.8.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -1.8.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. -1.8.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.8.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.8.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.8.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.8.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.8.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.8.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.8.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.8.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.8.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. -1.8.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. -1.8.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. -1.8.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. -1.8.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name. -1.8.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. -1.8.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -1.8.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -1.8.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.8.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.8.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.8.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.8.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.8.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.8.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.8.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.8.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.8.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.8.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. -1.8.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. -1.8.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. -1.8.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. -1.8.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -1.8.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name. -1.8.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. -1.8.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.8.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.8.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.8.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.8.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.8.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.8.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.8.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. -1.8.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. -1.8.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.8.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -1.8.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. -1.8.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title. -1.8.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. -1.8.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -1.8.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -1.8.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.8.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.8.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.8.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.8.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.8.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.8.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.8.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.8.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.8.0-dev,true,process,process.pid,long,core,,4242,Process id. -1.8.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. -1.8.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.8.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. -1.8.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. -1.8.0-dev,true,process,process.title,wildcard,extended,,,Process title. -1.8.0-dev,true,process,process.title.text,text,extended,,,Process title. -1.8.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -1.8.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -1.8.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.8.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -1.8.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -1.8.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -1.8.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -1.8.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -1.8.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -1.8.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. -1.8.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. -1.8.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. -1.8.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -1.8.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. -1.8.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author -1.8.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category -1.8.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description -1.8.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID -1.8.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license -1.8.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name -1.8.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -1.8.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset -1.8.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID -1.8.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version -1.8.0-dev,true,server,server.address,keyword,extended,,,Server network address. -1.8.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.8.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.8.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -1.8.0-dev,true,server,server.domain,wildcard,core,,,Server domain. -1.8.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev,true,server,server.ip,ip,core,,,IP address of the server. -1.8.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. -1.8.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip -1.8.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port -1.8.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -1.8.0-dev,true,server,server.port,long,core,,,Port of the server. -1.8.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -1.8.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. -1.8.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,server,server.user.email,wildcard,extended,,,User email address. -1.8.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -1.8.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -1.8.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. -1.8.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. -1.8.0-dev,true,service,service.state,keyword,core,,,Current state of the service. -1.8.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. -1.8.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. -1.8.0-dev,true,source,source.address,keyword,extended,,,Source network address. -1.8.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.8.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.8.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.8.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -1.8.0-dev,true,source,source.domain,wildcard,core,,,Source domain. -1.8.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -1.8.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -1.8.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.8.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -1.8.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.8.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.8.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.8.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -1.8.0-dev,true,source,source.ip,ip,core,,,IP address of the source. -1.8.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. -1.8.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip -1.8.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port -1.8.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -1.8.0-dev,true,source,source.port,long,core,,,Port of the source. -1.8.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -1.8.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. -1.8.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,source,source.user.email,wildcard,extended,,,User email address. -1.8.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -1.8.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -1.8.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. -1.8.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. -1.8.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. -1.8.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. -1.8.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. -1.8.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. -1.8.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. -1.8.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. -1.8.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. -1.8.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. -1.8.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. -1.8.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -1.8.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -1.8.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. -1.8.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. -1.8.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. -1.8.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -1.8.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -1.8.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -1.8.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -1.8.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -1.8.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -1.8.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -1.8.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. -1.8.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.8.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.8.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.8.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.8.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.8.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.8.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.8.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.8.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.8.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.8.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.8.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.8.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.8.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.8.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.8.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.8.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.8.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.8.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.8.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.8.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.8.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. -1.8.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." -1.8.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -1.8.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. -1.8.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -1.8.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -1.8.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. -1.8.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. -1.8.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. -1.8.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -1.8.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -1.8.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -1.8.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -1.8.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -1.8.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. -1.8.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.8.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.8.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.8.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.8.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.8.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.8.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.8.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.8.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.8.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.8.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.8.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.8.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.8.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.8.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.8.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.8.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.8.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.8.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.8.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.8.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.8.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.8.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. -1.8.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. -1.8.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. -1.8.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -1.8.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -1.8.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. -1.8.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -1.8.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -1.8.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.8.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.8.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.8.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.8.0-dev,true,url,url.password,keyword,extended,,,Password of the request. -1.8.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -1.8.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -1.8.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. -1.8.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -1.8.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -1.8.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. -1.8.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.8.0-dev,true,url,url.username,keyword,extended,,,Username of the request. -1.8.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address. -1.8.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address. -1.8.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,user,user.email,wildcard,extended,,,User email address. -1.8.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -1.8.0-dev,true,user,user.target.email,wildcard,extended,,,User email address. -1.8.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.8.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.8.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.8.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. -1.8.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.8.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user. -1.8.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. -1.8.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.8.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -1.8.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -1.8.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.8.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.8.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.8.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.8.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.8.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.8.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.8.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." -1.8.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.8.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. -1.8.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. -1.8.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. -1.8.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.8.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.8.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. -1.8.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. -1.8.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -1.8.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. -1.8.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. -1.8.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. -1.8.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. -1.8.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. -1.8.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. -1.8.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +1.9.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +1.9.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +1.9.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. +1.9.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +1.9.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +1.9.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +1.9.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +1.9.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +1.9.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +1.9.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +1.9.0-dev,true,client,client.address,keyword,extended,,,Client network address. +1.9.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +1.9.0-dev,true,client,client.domain,wildcard,core,,,Client domain. +1.9.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +1.9.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev,true,client,client.ip,ip,core,,,IP address of the client. +1.9.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. +1.9.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +1.9.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port +1.9.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +1.9.0-dev,true,client,client.port,long,core,,,Port of the client. +1.9.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +1.9.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev,true,client,client.user.email,wildcard,extended,,,User email address. +1.9.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. +1.9.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +1.9.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +1.9.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. +1.9.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +1.9.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +1.9.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +1.9.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +1.9.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +1.9.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +1.9.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +1.9.0-dev,true,container,container.id,keyword,core,,,Unique container id. +1.9.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +1.9.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. +1.9.0-dev,true,container,container.labels,object,extended,,,Image labels. +1.9.0-dev,true,container,container.name,keyword,extended,,,Container name. +1.9.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +1.9.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. +1.9.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +1.9.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain. +1.9.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +1.9.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. +1.9.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. +1.9.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +1.9.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +1.9.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +1.9.0-dev,true,destination,destination.port,long,core,,,Port of the destination. +1.9.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +1.9.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address. +1.9.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +1.9.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +1.9.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +1.9.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +1.9.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. +1.9.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +1.9.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. +1.9.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +1.9.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +1.9.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +1.9.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +1.9.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +1.9.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +1.9.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +1.9.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. +1.9.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +1.9.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +1.9.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +1.9.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +1.9.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +1.9.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +1.9.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +1.9.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. +1.9.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. +1.9.0-dev,true,error,error.message,text,core,,,Error message. +1.9.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +1.9.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +1.9.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +1.9.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +1.9.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +1.9.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. +1.9.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +1.9.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +1.9.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +1.9.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +1.9.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +1.9.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +1.9.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +1.9.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +1.9.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +1.9.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +1.9.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +1.9.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. +1.9.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +1.9.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +1.9.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +1.9.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +1.9.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. +1.9.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. +1.9.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +1.9.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. +1.9.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +1.9.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +1.9.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. +1.9.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.9.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0-dev,true,file,file.created,date,extended,,,File creation time. +1.9.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.9.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +1.9.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +1.9.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.9.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +1.9.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.9.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +1.9.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +1.9.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.9.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +1.9.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.9.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. +1.9.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.9.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. +1.9.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.9.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.9.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. +1.9.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. +1.9.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. +1.9.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.9.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.9.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.9.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.9.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.9.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.9.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.9.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.9.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.9.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.9.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.9.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.9.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.9.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.9.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.9.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.9.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.9.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.9.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.9.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.9.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.9.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.9.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.9.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +1.9.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev,true,group,group.name,keyword,extended,,,Name of the group. +1.9.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +1.9.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +1.9.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +1.9.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host. +1.9.0-dev,true,host,host.id,keyword,core,,,Unique host id. +1.9.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. +1.9.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. +1.9.0-dev,true,host,host.name,keyword,core,,,Name of the host. +1.9.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.9.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.9.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.9.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.9.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.9.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +1.9.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.9.0-dev,true,host,host.type,keyword,core,,,Type of host. +1.9.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +1.9.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev,true,host,host.user.email,wildcard,extended,,,User email address. +1.9.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. +1.9.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +1.9.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. +1.9.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. +1.9.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +1.9.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. +1.9.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +1.9.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. +1.9.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +1.9.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. +1.9.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. +1.9.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +1.9.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +1.9.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +1.9.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. +1.9.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +1.9.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. +1.9.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +1.9.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. +1.9.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +1.9.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +1.9.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." +1.9.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata +1.9.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +1.9.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +1.9.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +1.9.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +1.9.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +1.9.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. +1.9.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +1.9.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +1.9.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +1.9.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +1.9.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +1.9.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information +1.9.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +1.9.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +1.9.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. +1.9.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +1.9.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +1.9.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information +1.9.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +1.9.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +1.9.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +1.9.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +1.9.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +1.9.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +1.9.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information +1.9.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +1.9.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +1.9.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +1.9.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +1.9.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +1.9.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer +1.9.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +1.9.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.9.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.9.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.9.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.9.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.9.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +1.9.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.9.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +1.9.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +1.9.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +1.9.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +1.9.0-dev,true,observer,observer.version,keyword,core,,,Observer version. +1.9.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +1.9.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name. +1.9.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. +1.9.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +1.9.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +1.9.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +1.9.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +1.9.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +1.9.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. +1.9.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +1.9.0-dev,true,package,package.name,keyword,extended,,go,Package name +1.9.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +1.9.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +1.9.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. +1.9.0-dev,true,package,package.type,keyword,extended,,rpm,Package type +1.9.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version +1.9.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.9.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. +1.9.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.9.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. +1.9.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +1.9.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name. +1.9.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. +1.9.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.9.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +1.9.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.9.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +1.9.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +1.9.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name. +1.9.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. +1.9.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.9.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. +1.9.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. +1.9.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.9.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +1.9.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. +1.9.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title. +1.9.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. +1.9.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +1.9.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +1.9.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.9.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.9.0-dev,true,process,process.pid,long,core,,4242,Process id. +1.9.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. +1.9.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.9.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. +1.9.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. +1.9.0-dev,true,process,process.title,wildcard,extended,,,Process title. +1.9.0-dev,true,process,process.title.text,text,extended,,,Process title. +1.9.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +1.9.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +1.9.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.9.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.9.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.9.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.9.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.9.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.9.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.9.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +1.9.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +1.9.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +1.9.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +1.9.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. +1.9.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +1.9.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +1.9.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +1.9.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID +1.9.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +1.9.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +1.9.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +1.9.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +1.9.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +1.9.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version +1.9.0-dev,true,server,server.address,keyword,extended,,,Server network address. +1.9.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +1.9.0-dev,true,server,server.domain,wildcard,core,,,Server domain. +1.9.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +1.9.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev,true,server,server.ip,ip,core,,,IP address of the server. +1.9.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. +1.9.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip +1.9.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port +1.9.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +1.9.0-dev,true,server,server.port,long,core,,,Port of the server. +1.9.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +1.9.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev,true,server,server.user.email,wildcard,extended,,,User email address. +1.9.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. +1.9.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +1.9.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +1.9.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +1.9.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +1.9.0-dev,true,service,service.state,keyword,core,,,Current state of the service. +1.9.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +1.9.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. +1.9.0-dev,true,source,source.address,keyword,extended,,,Source network address. +1.9.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +1.9.0-dev,true,source,source.domain,wildcard,core,,,Source domain. +1.9.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +1.9.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev,true,source,source.ip,ip,core,,,IP address of the source. +1.9.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. +1.9.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip +1.9.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port +1.9.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +1.9.0-dev,true,source,source.port,long,core,,,Port of the source. +1.9.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +1.9.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev,true,source,source.user.email,wildcard,extended,,,User email address. +1.9.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. +1.9.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +1.9.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +1.9.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +1.9.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +1.9.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +1.9.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +1.9.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +1.9.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. +1.9.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +1.9.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +1.9.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +1.9.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. +1.9.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +1.9.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +1.9.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +1.9.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +1.9.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +1.9.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +1.9.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +1.9.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +1.9.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +1.9.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +1.9.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +1.9.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +1.9.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +1.9.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +1.9.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.9.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.9.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.9.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.9.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.9.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.9.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.9.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.9.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.9.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.9.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.9.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.9.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.9.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.9.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.9.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.9.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.9.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.9.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.9.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.9.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.9.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +1.9.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +1.9.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +1.9.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +1.9.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +1.9.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +1.9.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +1.9.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +1.9.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +1.9.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +1.9.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +1.9.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +1.9.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +1.9.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +1.9.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +1.9.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.9.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.9.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.9.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.9.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.9.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.9.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.9.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.9.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.9.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.9.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.9.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.9.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.9.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.9.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.9.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.9.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.9.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.9.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.9.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.9.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.9.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +1.9.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +1.9.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +1.9.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +1.9.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +1.9.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. +1.9.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +1.9.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +1.9.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.9.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.9.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.9.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.9.0-dev,true,url,url.password,keyword,extended,,,Password of the request. +1.9.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +1.9.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +1.9.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. +1.9.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.9.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +1.9.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0-dev,true,url,url.username,keyword,extended,,,Username of the request. +1.9.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address. +1.9.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +1.9.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address. +1.9.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +1.9.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev,true,user,user.email,wildcard,extended,,,User email address. +1.9.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. +1.9.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0-dev,true,user,user.target.email,wildcard,extended,,,User email address. +1.9.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. +1.9.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user. +1.9.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. +1.9.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +1.9.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +1.9.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.9.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.9.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.9.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.9.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.9.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.9.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.9.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +1.9.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.9.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +1.9.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +1.9.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +1.9.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.9.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.9.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +1.9.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +1.9.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +1.9.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +1.9.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +1.9.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +1.9.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +1.9.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +1.9.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +1.9.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index bf81034aec..378c3dc0fa 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -5,7 +5,7 @@ "mappings": { "_doc": { "_meta": { - "version": "1.8.0-dev" + "version": "1.9.0-dev" }, "date_detection": false, "dynamic_templates": [ diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 98bf95f301..2a9466df8b 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -4,7 +4,7 @@ ], "mappings": { "_meta": { - "version": "1.8.0-dev" + "version": "1.9.0-dev" }, "date_detection": false, "dynamic_templates": [ diff --git a/generated/elasticsearch/component/agent.json b/generated/elasticsearch/component/agent.json index 353ba82a15..d7921d9adf 100644 --- a/generated/elasticsearch/component/agent.json +++ b/generated/elasticsearch/component/agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/base.json b/generated/elasticsearch/component/base.json index 5f5c1db363..406ed0981d 100644 --- a/generated/elasticsearch/component/base.json +++ b/generated/elasticsearch/component/base.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/client.json b/generated/elasticsearch/component/client.json index 31e691aed1..c0840d578f 100644 --- a/generated/elasticsearch/component/client.json +++ b/generated/elasticsearch/component/client.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/cloud.json b/generated/elasticsearch/component/cloud.json index 4f232454c4..b13150c6a0 100644 --- a/generated/elasticsearch/component/cloud.json +++ b/generated/elasticsearch/component/cloud.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/container.json b/generated/elasticsearch/component/container.json index 38eca1d7f2..b7c8e6858e 100644 --- a/generated/elasticsearch/component/container.json +++ b/generated/elasticsearch/component/container.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/destination.json b/generated/elasticsearch/component/destination.json index d9e445f419..cf63935a0a 100644 --- a/generated/elasticsearch/component/destination.json +++ b/generated/elasticsearch/component/destination.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json index d1654a2995..8e878c310e 100644 --- a/generated/elasticsearch/component/dll.json +++ b/generated/elasticsearch/component/dll.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/dns.json b/generated/elasticsearch/component/dns.json index 15a736a4cf..f66115ccb1 100644 --- a/generated/elasticsearch/component/dns.json +++ b/generated/elasticsearch/component/dns.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/ecs.json b/generated/elasticsearch/component/ecs.json index f0236e672f..561892a4ed 100644 --- a/generated/elasticsearch/component/ecs.json +++ b/generated/elasticsearch/component/ecs.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/error.json b/generated/elasticsearch/component/error.json index 6ed08970ef..328259dd49 100644 --- a/generated/elasticsearch/component/error.json +++ b/generated/elasticsearch/component/error.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/event.json b/generated/elasticsearch/component/event.json index 85c990900f..06bcdfae66 100644 --- a/generated/elasticsearch/component/event.json +++ b/generated/elasticsearch/component/event.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json index 073dc7959e..a2f17562f9 100644 --- a/generated/elasticsearch/component/file.json +++ b/generated/elasticsearch/component/file.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/group.json b/generated/elasticsearch/component/group.json index 381724c510..13d6a829a5 100644 --- a/generated/elasticsearch/component/group.json +++ b/generated/elasticsearch/component/group.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json index de2b9925b0..c0e3c0fcf5 100644 --- a/generated/elasticsearch/component/host.json +++ b/generated/elasticsearch/component/host.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/http.json b/generated/elasticsearch/component/http.json index ee434bc3d3..0e38b06c88 100644 --- a/generated/elasticsearch/component/http.json +++ b/generated/elasticsearch/component/http.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/log.json b/generated/elasticsearch/component/log.json index 79ac511fe0..b699db361d 100644 --- a/generated/elasticsearch/component/log.json +++ b/generated/elasticsearch/component/log.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/network.json b/generated/elasticsearch/component/network.json index 7310610229..bb6d172e07 100644 --- a/generated/elasticsearch/component/network.json +++ b/generated/elasticsearch/component/network.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/observer.json b/generated/elasticsearch/component/observer.json index f7b5f2fd65..30dce73707 100644 --- a/generated/elasticsearch/component/observer.json +++ b/generated/elasticsearch/component/observer.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/organization.json b/generated/elasticsearch/component/organization.json index c00ed11538..d9cb399e89 100644 --- a/generated/elasticsearch/component/organization.json +++ b/generated/elasticsearch/component/organization.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/package.json b/generated/elasticsearch/component/package.json index c15e8d6c91..ea843e3323 100644 --- a/generated/elasticsearch/component/package.json +++ b/generated/elasticsearch/component/package.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json index 472f0029fb..60ad49260b 100644 --- a/generated/elasticsearch/component/process.json +++ b/generated/elasticsearch/component/process.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/registry.json b/generated/elasticsearch/component/registry.json index db6a8c5ba2..0ed4b2c47c 100644 --- a/generated/elasticsearch/component/registry.json +++ b/generated/elasticsearch/component/registry.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/related.json b/generated/elasticsearch/component/related.json index 39b205f4c2..0afe5810bd 100644 --- a/generated/elasticsearch/component/related.json +++ b/generated/elasticsearch/component/related.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/rule.json b/generated/elasticsearch/component/rule.json index 735200cd82..65dfd9b1c2 100644 --- a/generated/elasticsearch/component/rule.json +++ b/generated/elasticsearch/component/rule.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/server.json b/generated/elasticsearch/component/server.json index 7a5940efb4..39f925b650 100644 --- a/generated/elasticsearch/component/server.json +++ b/generated/elasticsearch/component/server.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/service.json b/generated/elasticsearch/component/service.json index eb2e6517b3..2d9d66dfe2 100644 --- a/generated/elasticsearch/component/service.json +++ b/generated/elasticsearch/component/service.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/source.json b/generated/elasticsearch/component/source.json index ae2b85b106..5a00a9eb52 100644 --- a/generated/elasticsearch/component/source.json +++ b/generated/elasticsearch/component/source.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json index bf0ecc3778..cdd6f904b5 100644 --- a/generated/elasticsearch/component/threat.json +++ b/generated/elasticsearch/component/threat.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/tls.json b/generated/elasticsearch/component/tls.json index be3dd91253..35a5c46faf 100644 --- a/generated/elasticsearch/component/tls.json +++ b/generated/elasticsearch/component/tls.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/tracing.json b/generated/elasticsearch/component/tracing.json index bce8899078..12ad11e6fa 100644 --- a/generated/elasticsearch/component/tracing.json +++ b/generated/elasticsearch/component/tracing.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/url.json b/generated/elasticsearch/component/url.json index c50ced4a7d..0975aa95ce 100644 --- a/generated/elasticsearch/component/url.json +++ b/generated/elasticsearch/component/url.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/user.json b/generated/elasticsearch/component/user.json index 8a1a714414..02dee92890 100644 --- a/generated/elasticsearch/component/user.json +++ b/generated/elasticsearch/component/user.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/user_agent.json b/generated/elasticsearch/component/user_agent.json index c45d126c48..6ecb7d46e4 100644 --- a/generated/elasticsearch/component/user_agent.json +++ b/generated/elasticsearch/component/user_agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/vulnerability.json b/generated/elasticsearch/component/vulnerability.json index cd04fb1f4e..9de1f1b4e6 100644 --- a/generated/elasticsearch/component/vulnerability.json +++ b/generated/elasticsearch/component/vulnerability.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "template": { "mappings": { diff --git a/generated/elasticsearch/template.json b/generated/elasticsearch/template.json index 2405e0a28d..9444d33b52 100644 --- a/generated/elasticsearch/template.json +++ b/generated/elasticsearch/template.json @@ -1,43 +1,43 @@ { "_meta": { "description": "Sample composable template that includes all ECS fields", - "ecs_version": "1.8.0-dev" + "ecs_version": "1.9.0-dev" }, "composed_of": [ - "ecs_1.8.0-dev_agent", - "ecs_1.8.0-dev_base", - "ecs_1.8.0-dev_client", - "ecs_1.8.0-dev_cloud", - "ecs_1.8.0-dev_container", - "ecs_1.8.0-dev_destination", - "ecs_1.8.0-dev_dll", - "ecs_1.8.0-dev_dns", - "ecs_1.8.0-dev_ecs", - "ecs_1.8.0-dev_error", - "ecs_1.8.0-dev_event", - "ecs_1.8.0-dev_file", - "ecs_1.8.0-dev_group", - "ecs_1.8.0-dev_host", - "ecs_1.8.0-dev_http", - "ecs_1.8.0-dev_log", - "ecs_1.8.0-dev_network", - "ecs_1.8.0-dev_observer", - "ecs_1.8.0-dev_organization", - "ecs_1.8.0-dev_package", - "ecs_1.8.0-dev_process", - "ecs_1.8.0-dev_registry", - "ecs_1.8.0-dev_related", - "ecs_1.8.0-dev_rule", - "ecs_1.8.0-dev_server", - "ecs_1.8.0-dev_service", - "ecs_1.8.0-dev_source", - "ecs_1.8.0-dev_threat", - "ecs_1.8.0-dev_tls", - "ecs_1.8.0-dev_tracing", - "ecs_1.8.0-dev_url", - "ecs_1.8.0-dev_user", - "ecs_1.8.0-dev_user_agent", - "ecs_1.8.0-dev_vulnerability" + "ecs_1.9.0-dev_agent", + "ecs_1.9.0-dev_base", + "ecs_1.9.0-dev_client", + "ecs_1.9.0-dev_cloud", + "ecs_1.9.0-dev_container", + "ecs_1.9.0-dev_destination", + "ecs_1.9.0-dev_dll", + "ecs_1.9.0-dev_dns", + "ecs_1.9.0-dev_ecs", + "ecs_1.9.0-dev_error", + "ecs_1.9.0-dev_event", + "ecs_1.9.0-dev_file", + "ecs_1.9.0-dev_group", + "ecs_1.9.0-dev_host", + "ecs_1.9.0-dev_http", + "ecs_1.9.0-dev_log", + "ecs_1.9.0-dev_network", + "ecs_1.9.0-dev_observer", + "ecs_1.9.0-dev_organization", + "ecs_1.9.0-dev_package", + "ecs_1.9.0-dev_process", + "ecs_1.9.0-dev_registry", + "ecs_1.9.0-dev_related", + "ecs_1.9.0-dev_rule", + "ecs_1.9.0-dev_server", + "ecs_1.9.0-dev_service", + "ecs_1.9.0-dev_source", + "ecs_1.9.0-dev_threat", + "ecs_1.9.0-dev_tls", + "ecs_1.9.0-dev_tracing", + "ecs_1.9.0-dev_url", + "ecs_1.9.0-dev_user", + "ecs_1.9.0-dev_user_agent", + "ecs_1.9.0-dev_vulnerability" ], "index_patterns": [ "try-ecs-*" diff --git a/version b/version index 0ef074f2ec..b57588e592 100644 --- a/version +++ b/version @@ -1 +1 @@ -1.8.0-dev +1.9.0-dev From ddf256874fd16f828a54c6aede966a842aaf95cf Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 16 Dec 2020 14:30:48 -0600 Subject: [PATCH 65/90] [1.x] Cut 1.8 FF changelog.next.md #1199 (#1201) --- CHANGELOG.next.md | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index d85ec4c97a..335325069f 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -9,11 +9,25 @@ Thanks, you're awesome :-) --> ## Unreleased ### Schema Changes +### Tooling and Artifact Changes #### Breaking changes #### Bugfixes +#### Added + +#### Improvements + +#### Deprecated + + +## 1.8.0 (Feature Freeze) + +### Schema Changes + +#### Bugfixes + * Clean up `event.reference` description. #1181 #### Added @@ -27,7 +41,9 @@ Thanks, you're awesome :-) --> #### Improvements * Event categorization fields GA. #1067 +* `wildcard` field type adoption. #1098 * Note `[` and `]` bracket characters may enclose a literal IPv6 address when populating `url.domain`. #1131 +* Reinforce the exclusion of the leading dot from `url.extension`. #1151 #### Deprecated @@ -35,8 +51,6 @@ Thanks, you're awesome :-) --> ### Tooling and Artifact Changes -#### Breaking changes - #### Bugfixes * `tracing` fields should be at root of Beats `fields.ecs.yml` artifacts. #1164 @@ -49,17 +63,16 @@ Thanks, you're awesome :-) --> * Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050 * Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051 * Added support for `constant_keyword`'s optional parameter `value`. #1112 -* Added component templates for ECS field sets. #1156, #1186 +* Added component templates for ECS field sets. #1156, #1186, #1191 #### Improvements +* Make all fields linkable directly. #1148 * Added a notice highlighting that the `tracing` fields are not nested under the namespace `tracing.` #1162 * ES 6.x template data types will fallback to supported types. #1171, #1176, #1186 * Add a documentation page discussing the experimental artifacts. #1189 -#### Deprecated - * Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051 * Added support for `constant_keyword`'s optional parameter `value`. #1112 * Added component templates for ECS field sets. #1156, #1186, #1191 +* Added functionality for merging custom and core multi-fields. #982 #### Improvements diff --git a/scripts/schema/loader.py b/scripts/schema/loader.py index 07477551af..04f3218ae4 100644 --- a/scripts/schema/loader.py +++ b/scripts/schema/loader.py @@ -186,6 +186,28 @@ def nest_fields(field_array): return schema_root +def array_of_maps_to_map(array_vals): + ret_map = {} + for map_val in array_vals: + name = map_val['name'] + # if multiple name fields exist in the same custom definition this will take the last one + ret_map[name] = map_val + return ret_map + + +def map_of_maps_to_array(map_vals): + ret_list = [] + for key in map_vals: + ret_list.append(map_vals[key]) + return sorted(ret_list, key=lambda k: k['name']) + + +def dedup_and_merge_lists(list_a, list_b): + list_a_map = array_of_maps_to_map(list_a) + list_a_map.update(array_of_maps_to_map(list_b)) + return map_of_maps_to_array(list_a_map) + + def merge_fields(a, b): """Merge ECS field sets with custom field sets.""" a = copy.deepcopy(a) @@ -199,6 +221,14 @@ def merge_fields(a, b): a[key].setdefault('field_details', {}) a[key]['field_details'].setdefault('normalize', []) a[key]['field_details']['normalize'].extend(b[key]['field_details'].pop('normalize')) + if 'multi_fields' in b[key]['field_details']: + a[key].setdefault('field_details', {}) + a[key]['field_details'].setdefault('multi_fields', []) + a[key]['field_details']['multi_fields'] = dedup_and_merge_lists( + a[key]['field_details']['multi_fields'], b[key]['field_details']['multi_fields']) + # if we don't do this then the update call below will overwrite a's field_details, with the original + # contents of b, which undoes our merging the multi_fields + del b[key]['field_details']['multi_fields'] a[key]['field_details'].update(b[key]['field_details']) # merge schema details if 'schema_details' in b[key]: diff --git a/scripts/tests/unit/test_schema_loader.py b/scripts/tests/unit/test_schema_loader.py index de3a718bd5..fde33e0a1c 100644 --- a/scripts/tests/unit/test_schema_loader.py +++ b/scripts/tests/unit/test_schema_loader.py @@ -646,6 +646,81 @@ def test_merge_non_array_attributes(self): } self.assertEqual(merged_fields, expected_fields) + def test_merge_and_overwrite_multi_fields(self): + originalSchema = { + 'overwrite_field': { + 'field_details': { + 'multi_fields': [ + { + 'type': 'text', + 'name': 'text', + 'norms': True + } + ] + }, + 'fields': { + 'message': { + 'field_details': { + 'multi_fields': [ + { + 'type': 'text', + 'name': 'text' + } + ] + } + } + } + } + } + + customSchema = { + 'overwrite_field': { + 'field_details': { + 'multi_fields': [ + # this entry will completely overwrite the originalSchema's name text entry + { + 'type': 'text', + 'name': 'text' + } + ] + }, + 'fields': { + 'message': { + 'field_details': { + 'multi_fields': [ + # this entry will be merged with the originalSchema's multi_fields entries + { + 'type': 'keyword', + 'name': 'a_field' + } + ] + } + } + } + } + } + merged_fields = loader.merge_fields(originalSchema, customSchema) + expected_overwrite_field_mf = [ + { + 'type': 'text', + 'name': 'text' + } + ] + + expected_message_mf = [ + { + 'type': 'keyword', + 'name': 'a_field' + }, + { + 'type': 'text', + 'name': 'text' + } + ] + self.assertEqual(merged_fields['overwrite_field']['field_details']['multi_fields'], expected_overwrite_field_mf) + self.assertEqual(merged_fields['overwrite_field']['fields']['message']['field_details'] + ['multi_fields'], expected_message_mf) + if __name__ == '__main__': unittest.main() From 4ab85fa766a76ba37a685b02bd14eb79dde73744 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 13 Jan 2021 16:33:14 -0600 Subject: [PATCH 67/90] [1.x] Stage 2 changes for RFC 0009 - data_stream fields (#1215) (#1222) --- experimental/generated/beats/fields.ecs.yml | 52 ++++++++++++++ experimental/generated/csv/fields.csv | 3 + experimental/generated/ecs/ecs_flat.yml | 46 +++++++++++++ experimental/generated/ecs/ecs_nested.yml | 69 +++++++++++++++++++ .../generated/elasticsearch/7/template.json | 13 ++++ .../elasticsearch/component/data_stream.json | 25 +++++++ .../generated/elasticsearch/template.json | 3 +- experimental/schemas/data_stream.yml | 60 ++++++++++++++++ 8 files changed, 270 insertions(+), 1 deletion(-) create mode 100644 experimental/generated/elasticsearch/component/data_stream.json create mode 100644 experimental/schemas/data_stream.yml diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 02da5c2ee4..d19d6a36d8 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -564,6 +564,58 @@ ignore_above: 1024 description: Runtime managing this container. example: docker + - name: data_stream + title: Data Stream + group: 2 + description: 'The data_stream fields take part in defining the new data stream + naming scheme. + + In the new data stream naming scheme the value of the data stream fields combine + to the name of the actual data stream in the following manner `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. + This means the fields can only contain characters that are valid as part of + names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog + post]. + + An Elasticsearch data stream consists of one or more backing indices, and a + data stream name forms part of the backing indices names. Due to this convention, + data streams must also follow index naming restrictions. For example, data stream + names cannot include \, /, *, ?, ", <, >, |, ` `. Please see the Elasticsearch + reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].' + type: group + fields: + - name: dataset + level: extended + type: constant_keyword + description: "The field can contain anything that makes sense to signify the\ + \ source of the data.\nExamples include `nginx.access`, `prometheus`, `endpoint`\ + \ etc. For data streams that otherwise fit, but that do not have dataset set\ + \ we use the value \"generic\" for the dataset value. `event.dataset` should\ + \ have the same value as `data_stream.dataset`.\nBeyond the Elasticsearch\ + \ data stream naming criteria noted above, the `dataset` value has additional\ + \ restrictions:\n * Must not contain `-`\n * No longer than 100 characters" + example: nginx.access + default_field: false + - name: namespace + level: extended + type: constant_keyword + description: "A user defined namespace. Namespaces are useful to allow grouping\ + \ of data.\nMany users already organize their indices this way, and the data\ + \ stream naming scheme now provides this best practice as a default. Many\ + \ users will populate this field with `default`. If no value is used, it falls\ + \ back to `default`.\nBeyond the Elasticsearch index naming criteria noted\ + \ above, `namespace` value has the additional restrictions:\n * Must not\ + \ contain `-`\n * No longer than 100 characters" + example: production + default_field: false + - name: type + level: extended + type: constant_keyword + description: 'An overarching type for the data stream. + + Currently allowed values are "logs" and "metrics". We expect to also add "traces" + and "synthetics" in the near future.' + example: logs + default_field: false - name: destination title: Destination group: 2 diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index b5efd516c7..95199f66a2 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -60,6 +60,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,container,container.labels,object,extended,,,Image labels. 1.9.0-dev+exp,true,container,container.name,keyword,extended,,,Container name. 1.9.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +1.9.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data. +1.9.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data. +1.9.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream. 1.9.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address. 1.9.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. 1.9.0-dev+exp,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index f98d8b95ce..a7c053c2d1 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -705,6 +705,52 @@ container.runtime: normalize: [] short: Runtime managing this container. type: keyword +data_stream.dataset: + dashed_name: data-stream-dataset + description: "The field can contain anything that makes sense to signify the source\ + \ of the data.\nExamples include `nginx.access`, `prometheus`, `endpoint` etc.\ + \ For data streams that otherwise fit, but that do not have dataset set we use\ + \ the value \"generic\" for the dataset value. `event.dataset` should have the\ + \ same value as `data_stream.dataset`.\nBeyond the Elasticsearch data stream naming\ + \ criteria noted above, the `dataset` value has additional restrictions:\n *\ + \ Must not contain `-`\n * No longer than 100 characters" + example: nginx.access + flat_name: data_stream.dataset + level: extended + name: dataset + normalize: [] + short: The field can contain anything that makes sense to signify the source of + the data. + type: constant_keyword +data_stream.namespace: + dashed_name: data-stream-namespace + description: "A user defined namespace. Namespaces are useful to allow grouping\ + \ of data.\nMany users already organize their indices this way, and the data stream\ + \ naming scheme now provides this best practice as a default. Many users will\ + \ populate this field with `default`. If no value is used, it falls back to `default`.\n\ + Beyond the Elasticsearch index naming criteria noted above, `namespace` value\ + \ has the additional restrictions:\n * Must not contain `-`\n * No longer than\ + \ 100 characters" + example: production + flat_name: data_stream.namespace + level: extended + name: namespace + normalize: [] + short: A user defined namespace. Namespaces are useful to allow grouping of data. + type: constant_keyword +data_stream.type: + dashed_name: data-stream-type + description: 'An overarching type for the data stream. + + Currently allowed values are "logs" and "metrics". We expect to also add "traces" + and "synthetics" in the near future.' + example: logs + flat_name: data_stream.type + level: extended + name: type + normalize: [] + short: An overarching type for the data stream. + type: constant_keyword destination.address: dashed_name: destination-address description: 'Some event destination addresses are defined ambiguously. The event diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 97acbc2459..2b825db77d 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -983,6 +983,75 @@ container: short: Fields describing the container that generated this event. title: Container type: group +data_stream: + description: 'The data_stream fields take part in defining the new data stream naming + scheme. + + In the new data stream naming scheme the value of the data stream fields combine + to the name of the actual data stream in the following manner `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. + This means the fields can only contain characters that are valid as part of names + of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog + post]. + + An Elasticsearch data stream consists of one or more backing indices, and a data + stream name forms part of the backing indices names. Due to this convention, data + streams must also follow index naming restrictions. For example, data stream names + cannot include \, /, *, ?, ", <, >, |, ` `. Please see the Elasticsearch reference + for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].' + fields: + data_stream.dataset: + dashed_name: data-stream-dataset + description: "The field can contain anything that makes sense to signify the\ + \ source of the data.\nExamples include `nginx.access`, `prometheus`, `endpoint`\ + \ etc. For data streams that otherwise fit, but that do not have dataset set\ + \ we use the value \"generic\" for the dataset value. `event.dataset` should\ + \ have the same value as `data_stream.dataset`.\nBeyond the Elasticsearch\ + \ data stream naming criteria noted above, the `dataset` value has additional\ + \ restrictions:\n * Must not contain `-`\n * No longer than 100 characters" + example: nginx.access + flat_name: data_stream.dataset + level: extended + name: dataset + normalize: [] + short: The field can contain anything that makes sense to signify the source + of the data. + type: constant_keyword + data_stream.namespace: + dashed_name: data-stream-namespace + description: "A user defined namespace. Namespaces are useful to allow grouping\ + \ of data.\nMany users already organize their indices this way, and the data\ + \ stream naming scheme now provides this best practice as a default. Many\ + \ users will populate this field with `default`. If no value is used, it falls\ + \ back to `default`.\nBeyond the Elasticsearch index naming criteria noted\ + \ above, `namespace` value has the additional restrictions:\n * Must not\ + \ contain `-`\n * No longer than 100 characters" + example: production + flat_name: data_stream.namespace + level: extended + name: namespace + normalize: [] + short: A user defined namespace. Namespaces are useful to allow grouping of + data. + type: constant_keyword + data_stream.type: + dashed_name: data-stream-type + description: 'An overarching type for the data stream. + + Currently allowed values are "logs" and "metrics". We expect to also add "traces" + and "synthetics" in the near future.' + example: logs + flat_name: data_stream.type + level: extended + name: type + normalize: [] + short: An overarching type for the data stream. + type: constant_keyword + group: 2 + name: data_stream + prefix: data_stream. + short: The data_stream fields take part in defining the new data stream naming scheme. + title: Data Stream + type: group destination: description: 'Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 029aa451f3..7420e1c441 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -303,6 +303,19 @@ } } }, + "data_stream": { + "properties": { + "dataset": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, "destination": { "properties": { "address": { diff --git a/experimental/generated/elasticsearch/component/data_stream.json b/experimental/generated/elasticsearch/component/data_stream.json new file mode 100644 index 0000000000..3d4d93c586 --- /dev/null +++ b/experimental/generated/elasticsearch/component/data_stream.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html", + "ecs_version": "1.9.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "data_stream": { + "properties": { + "dataset": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/experimental/generated/elasticsearch/template.json b/experimental/generated/elasticsearch/template.json index b8f252c020..f81f6b49dc 100644 --- a/experimental/generated/elasticsearch/template.json +++ b/experimental/generated/elasticsearch/template.json @@ -37,7 +37,8 @@ "ecs_1.9.0-dev-exp_url", "ecs_1.9.0-dev-exp_user", "ecs_1.9.0-dev-exp_user_agent", - "ecs_1.9.0-dev-exp_vulnerability" + "ecs_1.9.0-dev-exp_vulnerability", + "ecs_1.9.0-dev-exp_data_stream" ], "index_patterns": [ "try-ecs-*" diff --git a/experimental/schemas/data_stream.yml b/experimental/schemas/data_stream.yml new file mode 100644 index 0000000000..d651800fa4 --- /dev/null +++ b/experimental/schemas/data_stream.yml @@ -0,0 +1,60 @@ +--- +- name: data_stream + title: Data Stream + short: The data_stream fields take part in defining the new data stream naming scheme. + description: > + The data_stream fields take part in defining the new data stream naming scheme. + + In the new data stream naming scheme the value of the data stream fields combine to the name of the actual data + stream in the following manner `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields + can only contain characters that are valid as part of names of data streams. More details about this can be found in + this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog post]. + + An Elasticsearch data stream consists of one or more backing indices, and a data stream name forms part of the backing indices names. + Due to this convention, data streams must also follow index naming restrictions. For example, data stream names cannot include \, /, *, ?, ", <, >, |, ` `. + Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. + fields: + + - name: type + level: extended + type: constant_keyword + example: logs + # Any future values for `data_stream.type` should also adhere to the following restrictions (these are derived from the Elasticsearch index restrictions): + # * Must not contain `-` + # * Must not start with `+` or `_` + description: > + An overarching type for the data stream. + + Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. + short: An overarching type for the data stream. + + - name: dataset + level: extended + type: constant_keyword + example: nginx.access + description: > + The field can contain anything that makes sense to signify the source of the data. + + Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that + do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the + same value as `data_stream.dataset`. + + Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: + * Must not contain `-` + * No longer than 100 characters + short: The field can contain anything that makes sense to signify the source of the data. + + - name: namespace + level: extended + type: constant_keyword + example: production + description: > + A user defined namespace. Namespaces are useful to allow grouping of data. + + Many users already organize their indices this way, and the data stream naming scheme now provides this + best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. + + Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: + * Must not contain `-` + * No longer than 100 characters + short: A user defined namespace. Namespaces are useful to allow grouping of data. From 2b240f15ccefb408b57566bcc818fe7a2f931a7f Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 14 Jan 2021 10:21:12 -0600 Subject: [PATCH 68/90] [1.x] add http.request.id (#1208) (#1223) Co-authored-by: Eric Beahan Co-authored-by: Gil Raphaelli --- CHANGELOG.next.md | 2 ++ code/go/ecs/http.go | 6 ++++++ docs/field-details.asciidoc | 18 ++++++++++++++++++ experimental/generated/beats/fields.ecs.yml | 11 +++++++++++ experimental/generated/csv/fields.csv | 1 + experimental/generated/ecs/ecs_flat.yml | 15 +++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 15 +++++++++++++++ .../generated/elasticsearch/7/template.json | 4 ++++ .../elasticsearch/component/http.json | 4 ++++ generated/beats/fields.ecs.yml | 11 +++++++++++ generated/csv/fields.csv | 1 + generated/ecs/ecs_flat.yml | 15 +++++++++++++++ generated/ecs/ecs_nested.yml | 15 +++++++++++++++ generated/elasticsearch/6/template.json | 4 ++++ generated/elasticsearch/7/template.json | 4 ++++ generated/elasticsearch/component/http.json | 4 ++++ schemas/http.yml | 13 +++++++++++++ 17 files changed, 143 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index f3225ffdb3..ca70e28078 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -17,6 +17,8 @@ Thanks, you're awesome :-) --> #### Added +* Added `http.request.id`. #1208 + #### Improvements #### Deprecated diff --git a/code/go/ecs/http.go b/code/go/ecs/http.go index 9abb112274..278b28378a 100644 --- a/code/go/ecs/http.go +++ b/code/go/ecs/http.go @@ -22,6 +22,12 @@ package ecs // Fields related to HTTP activity. Use the `url` field set to store the url of // the request. type Http struct { + // A unique identifier for each HTTP request to correlate logs between + // clients and servers in transactions. + // The id may be contained in a non-standard HTTP header, such as + // `X-Request-ID` or `X-Correlation-ID`. + RequestID string `ecs:"request.id"` + // HTTP request method. // Prior to ECS 1.6.0 the following guidance was provided: // "The field value must be normalized to lowercase for querying." diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 73bc4467d3..1c24738341 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3383,6 +3383,24 @@ example: `1437` // =============================================================== +| +[[field-http-request-id]] +<> + +| A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. + +The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. + +type: keyword + + + +example: `123e4567-e89b-12d3-a456-426614174000` + +| extended + +// =============================================================== + | [[field-http-request-method]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index d19d6a36d8..501e0d801e 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -2413,6 +2413,17 @@ format: bytes description: Total size in bytes of the request (body and headers). example: 1437 + - name: request.id + level: extended + type: keyword + ignore_above: 1024 + description: 'A unique identifier for each HTTP request to correlate logs between + clients and servers in transactions. + + The id may be contained in a non-standard HTTP header, such as `X-Request-ID` + or `X-Correlation-ID`.' + example: 123e4567-e89b-12d3-a456-426614174000 + default_field: false - name: request.method level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 95199f66a2..d7ce2df034 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -281,6 +281,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. 1.9.0-dev+exp,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. 1.9.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +1.9.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. 1.9.0-dev+exp,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. 1.9.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. 1.9.0-dev+exp,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index a7c053c2d1..25e79b4947 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3832,6 +3832,21 @@ http.request.bytes: normalize: [] short: Total size in bytes of the request (body and headers). type: long +http.request.id: + dashed_name: http-request-id + description: 'A unique identifier for each HTTP request to correlate logs between + clients and servers in transactions. + + The id may be contained in a non-standard HTTP header, such as `X-Request-ID` + or `X-Correlation-ID`.' + example: 123e4567-e89b-12d3-a456-426614174000 + flat_name: http.request.id + ignore_above: 1024 + level: extended + name: request.id + normalize: [] + short: HTTP request ID. + type: keyword http.request.method: dashed_name: http-request-method description: 'HTTP request method. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 2b825db77d..ef90a2bcd8 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -4548,6 +4548,21 @@ http: normalize: [] short: Total size in bytes of the request (body and headers). type: long + http.request.id: + dashed_name: http-request-id + description: 'A unique identifier for each HTTP request to correlate logs between + clients and servers in transactions. + + The id may be contained in a non-standard HTTP header, such as `X-Request-ID` + or `X-Correlation-ID`.' + example: 123e4567-e89b-12d3-a456-426614174000 + flat_name: http.request.id + ignore_above: 1024 + level: extended + name: request.id + normalize: [] + short: HTTP request ID. + type: keyword http.request.method: dashed_name: http-request-method description: 'HTTP request method. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 7420e1c441..70ed2974d8 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -1296,6 +1296,10 @@ "bytes": { "type": "long" }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "method": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/component/http.json b/experimental/generated/elasticsearch/component/http.json index b2284df25e..3b79b53c86 100644 --- a/experimental/generated/elasticsearch/component/http.json +++ b/experimental/generated/elasticsearch/component/http.json @@ -29,6 +29,10 @@ "bytes": { "type": "long" }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "method": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 55bf39366c..aca54a4756 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2315,6 +2315,17 @@ format: bytes description: Total size in bytes of the request (body and headers). example: 1437 + - name: request.id + level: extended + type: keyword + ignore_above: 1024 + description: 'A unique identifier for each HTTP request to correlate logs between + clients and servers in transactions. + + The id may be contained in a non-standard HTTP header, such as `X-Request-ID` + or `X-Correlation-ID`.' + example: 123e4567-e89b-12d3-a456-426614174000 + default_field: false - name: request.method level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 87ca4a70d3..b6d222e2b4 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -271,6 +271,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. 1.9.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. 1.9.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +1.9.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. 1.9.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. 1.9.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. 1.9.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 7e7347eba8..eed7fb34ad 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3712,6 +3712,21 @@ http.request.bytes: normalize: [] short: Total size in bytes of the request (body and headers). type: long +http.request.id: + dashed_name: http-request-id + description: 'A unique identifier for each HTTP request to correlate logs between + clients and servers in transactions. + + The id may be contained in a non-standard HTTP header, such as `X-Request-ID` + or `X-Correlation-ID`.' + example: 123e4567-e89b-12d3-a456-426614174000 + flat_name: http.request.id + ignore_above: 1024 + level: extended + name: request.id + normalize: [] + short: HTTP request ID. + type: keyword http.request.method: dashed_name: http-request-method description: 'HTTP request method. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 47cd8526ef..a78c8b1774 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4405,6 +4405,21 @@ http: normalize: [] short: Total size in bytes of the request (body and headers). type: long + http.request.id: + dashed_name: http-request-id + description: 'A unique identifier for each HTTP request to correlate logs between + clients and servers in transactions. + + The id may be contained in a non-standard HTTP header, such as `X-Request-ID` + or `X-Correlation-ID`.' + example: 123e4567-e89b-12d3-a456-426614174000 + flat_name: http.request.id + ignore_above: 1024 + level: extended + name: request.id + normalize: [] + short: HTTP request ID. + type: keyword http.request.method: dashed_name: http-request-method description: 'HTTP request method. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 378c3dc0fa..248a06ed55 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1270,6 +1270,10 @@ "bytes": { "type": "long" }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "method": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 2a9466df8b..87007a70f3 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1233,6 +1233,10 @@ "bytes": { "type": "long" }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "method": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/component/http.json b/generated/elasticsearch/component/http.json index 0e38b06c88..d208148bdb 100644 --- a/generated/elasticsearch/component/http.json +++ b/generated/elasticsearch/component/http.json @@ -29,6 +29,10 @@ "bytes": { "type": "long" }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "method": { "ignore_above": 1024, "type": "keyword" diff --git a/schemas/http.yml b/schemas/http.yml index f0ee23c53a..75475199b4 100644 --- a/schemas/http.yml +++ b/schemas/http.yml @@ -8,6 +8,19 @@ type: group fields: + - name: request.id + level: extended + type: keyword + short: HTTP request ID. + description: > + A unique identifier for each HTTP request to correlate logs between clients + and servers in transactions. + + The id may be contained in a non-standard HTTP header, such as `X-Request-ID` + or `X-Correlation-ID`. + + example: 123e4567-e89b-12d3-a456-426614174000 + - name: request.method level: extended type: keyword From 36ebb017da9592b95db15482a7b35799c0cfd134 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 14 Jan 2021 10:34:51 -0600 Subject: [PATCH 69/90] [1.x] add cloud.service.name (#1204) (#1224) * add cloud.platform * expand cloud.platform description * move to cloud.service.name Co-authored-by: Gil Raphaelli --- CHANGELOG.next.md | 1 + code/go/ecs/cloud.go | 6 ++++++ docs/field-details.asciidoc | 18 ++++++++++++++++++ experimental/generated/beats/fields.ecs.yml | 11 +++++++++++ experimental/generated/csv/fields.csv | 1 + experimental/generated/ecs/ecs_flat.yml | 15 +++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 15 +++++++++++++++ .../generated/elasticsearch/7/template.json | 8 ++++++++ .../elasticsearch/component/cloud.json | 8 ++++++++ generated/beats/fields.ecs.yml | 11 +++++++++++ generated/csv/fields.csv | 1 + generated/ecs/ecs_flat.yml | 15 +++++++++++++++ generated/ecs/ecs_nested.yml | 15 +++++++++++++++ generated/elasticsearch/6/template.json | 8 ++++++++ generated/elasticsearch/7/template.json | 8 ++++++++ generated/elasticsearch/component/cloud.json | 8 ++++++++ schemas/cloud.yml | 12 ++++++++++++ 17 files changed, 161 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index ca70e28078..7abb10dbfb 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -18,6 +18,7 @@ Thanks, you're awesome :-) --> #### Added * Added `http.request.id`. #1208 +* Added `cloud.service.name`. #1204 #### Improvements diff --git a/code/go/ecs/cloud.go b/code/go/ecs/cloud.go index 630e0c6fce..13b7ff551a 100644 --- a/code/go/ecs/cloud.go +++ b/code/go/ecs/cloud.go @@ -51,6 +51,12 @@ type Cloud struct { // Examples: AWS account name, Google Cloud ORG display name. AccountName string `ecs:"account.name"` + // The cloud service name is intended to distinguish services running on + // different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs + // App Engine, Azure VM vs App Server. + // Examples: app engine, app service, cloud run, fargate, lambda. + ServiceName string `ecs:"service.name"` + // The cloud project identifier. // Examples: Google Cloud Project id, Azure Project id. ProjectID string `ecs:"project.id"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 1c24738341..eb72c4aa44 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -738,6 +738,24 @@ example: `us-east-1` // =============================================================== +| +[[field-cloud-service-name]] +<> + +| The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. + +Examples: app engine, app service, cloud run, fargate, lambda. + +type: keyword + + + +example: `lambda` + +| extended + +// =============================================================== + |===== [[ecs-code_signature]] diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 501e0d801e..e687969bf8 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -476,6 +476,17 @@ ignore_above: 1024 description: Region in which this host is running. example: us-east-1 + - name: service.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud service name is intended to distinguish services running + on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs + App Engine, Azure VM vs App Server. + + Examples: app engine, app service, cloud run, fargate, lambda.' + example: lambda + default_field: false - name: code_signature title: Code Signature group: 2 diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index d7ce2df034..bb4d0bf393 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -54,6 +54,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. 1.9.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. 1.9.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +1.9.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name. 1.9.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id. 1.9.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. 1.9.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 25e79b4947..712c63c9a5 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -643,6 +643,21 @@ cloud.region: normalize: [] short: Region in which this host is running. type: keyword +cloud.service.name: + dashed_name: cloud-service-name + description: 'The cloud service name is intended to distinguish services running + on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App + Engine, Azure VM vs App Server. + + Examples: app engine, app service, cloud run, fargate, lambda.' + example: lambda + flat_name: cloud.service.name + ignore_above: 1024 + level: extended + name: service.name + normalize: [] + short: The cloud service name. + type: keyword container.id: dashed_name: container-id description: Unique container id. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index ef90a2bcd8..9016fe8641 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -814,6 +814,21 @@ cloud: normalize: [] short: Region in which this host is running. type: keyword + cloud.service.name: + dashed_name: cloud-service-name + description: 'The cloud service name is intended to distinguish services running + on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs + App Engine, Azure VM vs App Server. + + Examples: app engine, app service, cloud run, fargate, lambda.' + example: lambda + flat_name: cloud.service.name + ignore_above: 1024 + level: extended + name: service.name + normalize: [] + short: The cloud service name. + type: keyword footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 70ed2974d8..1582968a6f 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -269,6 +269,14 @@ "region": { "ignore_above": 1024, "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, diff --git a/experimental/generated/elasticsearch/component/cloud.json b/experimental/generated/elasticsearch/component/cloud.json index 52f33efb8c..b33d205acc 100644 --- a/experimental/generated/elasticsearch/component/cloud.json +++ b/experimental/generated/elasticsearch/component/cloud.json @@ -63,6 +63,14 @@ "region": { "ignore_above": 1024, "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } } } } diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index aca54a4756..d31d592579 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -476,6 +476,17 @@ ignore_above: 1024 description: Region in which this host is running. example: us-east-1 + - name: service.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud service name is intended to distinguish services running + on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs + App Engine, Azure VM vs App Server. + + Examples: app engine, app service, cloud run, fargate, lambda.' + example: lambda + default_field: false - name: code_signature title: Code Signature group: 2 diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index b6d222e2b4..0d13e795b4 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -54,6 +54,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. 1.9.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. 1.9.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +1.9.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name. 1.9.0-dev,true,container,container.id,keyword,core,,,Unique container id. 1.9.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. 1.9.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index eed7fb34ad..73efa64c18 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -643,6 +643,21 @@ cloud.region: normalize: [] short: Region in which this host is running. type: keyword +cloud.service.name: + dashed_name: cloud-service-name + description: 'The cloud service name is intended to distinguish services running + on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App + Engine, Azure VM vs App Server. + + Examples: app engine, app service, cloud run, fargate, lambda.' + example: lambda + flat_name: cloud.service.name + ignore_above: 1024 + level: extended + name: service.name + normalize: [] + short: The cloud service name. + type: keyword container.id: dashed_name: container-id description: Unique container id. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index a78c8b1774..1461638964 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -814,6 +814,21 @@ cloud: normalize: [] short: Region in which this host is running. type: keyword + cloud.service.name: + dashed_name: cloud-service-name + description: 'The cloud service name is intended to distinguish services running + on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs + App Engine, Azure VM vs App Server. + + Examples: app engine, app service, cloud run, fargate, lambda.' + example: lambda + flat_name: cloud.service.name + ignore_above: 1024 + level: extended + name: service.name + normalize: [] + short: The cloud service name. + type: keyword footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 248a06ed55..6b84ad5897 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -278,6 +278,14 @@ "region": { "ignore_above": 1024, "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 87007a70f3..2f02eb6e41 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -269,6 +269,14 @@ "region": { "ignore_above": 1024, "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, diff --git a/generated/elasticsearch/component/cloud.json b/generated/elasticsearch/component/cloud.json index b13150c6a0..f106357123 100644 --- a/generated/elasticsearch/component/cloud.json +++ b/generated/elasticsearch/component/cloud.json @@ -63,6 +63,14 @@ "region": { "ignore_above": 1024, "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } } } } diff --git a/schemas/cloud.yml b/schemas/cloud.yml index 0789feb79a..789b2d7485 100644 --- a/schemas/cloud.yml +++ b/schemas/cloud.yml @@ -80,6 +80,18 @@ Examples: AWS account name, Google Cloud ORG display name. + - name: service.name + level: extended + type: keyword + example: lambda + short: The cloud service name. + description: > + The cloud service name is intended to distinguish services running on + different platforms within a provider, eg AWS EC2 vs Lambda, + GCP GCE vs App Engine, Azure VM vs App Server. + + Examples: app engine, app service, cloud run, fargate, lambda. + - name: project.id level: extended type: keyword From a487613e26fa1a00cf83f25bedccf37cee285960 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Fri, 15 Jan 2021 12:57:12 -0600 Subject: [PATCH 70/90] [1.x] Add ssdeep hash (#1169) (#1227) Co-authored-by: Andrew Stucki --- CHANGELOG.next.md | 1 + code/go/ecs/hash.go | 9 ++- docs/field-details.asciidoc | 20 +++++- experimental/generated/beats/fields.ecs.yml | 39 +++++++++++- experimental/generated/csv/fields.csv | 4 ++ experimental/generated/ecs/ecs_flat.yml | 44 +++++++++++++ experimental/generated/ecs/ecs_nested.yml | 63 ++++++++++++++++++- .../generated/elasticsearch/7/template.json | 16 +++++ .../elasticsearch/component/dll.json | 4 ++ .../elasticsearch/component/file.json | 4 ++ .../elasticsearch/component/process.json | 8 +++ generated/beats/fields.ecs.yml | 39 +++++++++++- generated/csv/fields.csv | 4 ++ generated/ecs/ecs_flat.yml | 44 +++++++++++++ generated/ecs/ecs_nested.yml | 63 ++++++++++++++++++- generated/elasticsearch/6/template.json | 16 +++++ generated/elasticsearch/7/template.json | 16 +++++ generated/elasticsearch/component/dll.json | 4 ++ generated/elasticsearch/component/file.json | 4 ++ .../elasticsearch/component/process.json | 8 +++ schemas/hash.yml | 11 +++- 21 files changed, 410 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 7abb10dbfb..9baec5b634 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -19,6 +19,7 @@ Thanks, you're awesome :-) --> * Added `http.request.id`. #1208 * Added `cloud.service.name`. #1204 +* Added `hash.ssdeep`. #1169 #### Improvements diff --git a/code/go/ecs/hash.go b/code/go/ecs/hash.go index 070b4256cc..aa9354c759 100644 --- a/code/go/ecs/hash.go +++ b/code/go/ecs/hash.go @@ -19,10 +19,14 @@ package ecs -// The hash fields represent different hash algorithms and their values. +// The hash fields represent different bitwise hash algorithms and their +// values. // Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields // for other hashes by lowercasing the hash algorithm name and using underscore // separators as appropriate (snake case, e.g. sha3_512). +// Note that this fieldset is used for common hashes that may be computed over +// a range of generic bytes. Entity-specific hashes such as ja3 or imphash are +// placed in the fieldsets to which they relate (tls and pe, respectively). type Hash struct { // MD5 hash. Md5 string `ecs:"md5"` @@ -35,4 +39,7 @@ type Hash struct { // SHA512 hash. Sha512 string `ecs:"sha512"` + + // SSDEEP hash. + Ssdeep string `ecs:"ssdeep"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index eb72c4aa44..efacab4e1b 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3023,10 +3023,12 @@ Note also that the `group` fields may be used directly at the root of the events [[ecs-hash]] === Hash Fields -The hash fields represent different hash algorithms and their values. +The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively). + [discrete] ==== Hash Field Details @@ -3096,6 +3098,22 @@ type: keyword +| extended + +// =============================================================== + +| +[[field-hash-ssdeep]] +<> + +| SSDEEP hash. + +type: keyword + + + + + | extended // =============================================================== diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index e687969bf8..23727e859f 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -951,6 +951,12 @@ ignore_above: 1024 description: SHA512 hash. default_field: false + - name: hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false - name: name level: core type: keyword @@ -1682,6 +1688,12 @@ type: keyword ignore_above: 1024 description: SHA512 hash. + - name: hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false - name: inode level: extended type: keyword @@ -2068,11 +2080,16 @@ - name: hash title: Hash group: 2 - description: 'The hash fields represent different hash algorithms and their values. + description: 'The hash fields represent different bitwise hash algorithms and + their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators - as appropriate (snake case, e.g. sha3_512).' + as appropriate (snake case, e.g. sha3_512). + + Note that this fieldset is used for common hashes that may be computed over + a range of generic bytes. Entity-specific hashes such as ja3 or imphash are + placed in the fieldsets to which they relate (tls and pe, respectively).' type: group fields: - name: md5 @@ -2095,6 +2112,12 @@ type: keyword ignore_above: 1024 description: SHA512 hash. + - name: ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false - name: host title: Host group: 2 @@ -3500,6 +3523,12 @@ type: keyword ignore_above: 1024 description: SHA512 hash. + - name: hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false - name: name level: extended type: wildcard @@ -3645,6 +3674,12 @@ ignore_above: 1024 description: SHA512 hash. default_field: false + - name: parent.hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false - name: parent.name level: extended type: wildcard diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index bb4d0bf393..d7cded544d 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -108,6 +108,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. 1.9.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. 1.9.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. 1.9.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. 1.9.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. 1.9.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. @@ -186,6 +187,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. 1.9.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. 1.9.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash. 1.9.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. 1.9.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." 1.9.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. @@ -395,6 +397,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. 1.9.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. 1.9.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. 1.9.0-dev+exp,true,process,process.name,wildcard,extended,,ssh,Process name. 1.9.0-dev+exp,true,process,process.name.text,text,extended,,ssh,Process name. 1.9.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. @@ -414,6 +417,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. 1.9.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. 1.9.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. 1.9.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name. 1.9.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name. 1.9.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 712c63c9a5..ce8874fbe8 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1298,6 +1298,17 @@ dll.hash.sha512: original_fieldset: hash short: SHA512 hash. type: keyword +dll.hash.ssdeep: + dashed_name: dll-hash-ssdeep + description: SSDEEP hash. + flat_name: dll.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword dll.name: dashed_name: dll-name description: 'Name of the library. @@ -2722,6 +2733,17 @@ file.hash.sha512: original_fieldset: hash short: SHA512 hash. type: keyword +file.hash.ssdeep: + dashed_name: file-hash-ssdeep + description: SSDEEP hash. + flat_name: file.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword file.inode: dashed_name: file-inode description: Inode representing the file in the filesystem. @@ -5283,6 +5305,17 @@ process.hash.sha512: original_fieldset: hash short: SHA512 hash. type: keyword +process.hash.ssdeep: + dashed_name: process-hash-ssdeep + description: SSDEEP hash. + flat_name: process.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword process.name: beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. @@ -5518,6 +5551,17 @@ process.parent.hash.sha512: original_fieldset: hash short: SHA512 hash. type: keyword +process.parent.hash.ssdeep: + dashed_name: process-parent-hash-ssdeep + description: SSDEEP hash. + flat_name: process.parent.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword process.parent.name: beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 9016fe8641..fcd725bb6b 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1644,6 +1644,17 @@ dll: original_fieldset: hash short: SHA512 hash. type: keyword + dll.hash.ssdeep: + dashed_name: dll-hash-ssdeep + description: SSDEEP hash. + flat_name: dll.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword dll.name: dashed_name: dll-name description: 'Name of the library. @@ -3170,6 +3181,17 @@ file: original_fieldset: hash short: SHA512 hash. type: keyword + file.hash.ssdeep: + dashed_name: file-hash-ssdeep + description: SSDEEP hash. + flat_name: file.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword file.inode: dashed_name: file-inode description: Inode representing the file in the filesystem. @@ -3902,11 +3924,16 @@ group: title: Group type: group hash: - description: 'The hash fields represent different hash algorithms and their values. + description: 'The hash fields represent different bitwise hash algorithms and their + values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators - as appropriate (snake case, e.g. sha3_512).' + as appropriate (snake case, e.g. sha3_512). + + Note that this fieldset is used for common hashes that may be computed over a + range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed + in the fieldsets to which they relate (tls and pe, respectively).' fields: hash.md5: dashed_name: hash-md5 @@ -3948,6 +3975,16 @@ hash: normalize: [] short: SHA512 hash. type: keyword + hash.ssdeep: + dashed_name: hash-ssdeep + description: SSDEEP hash. + flat_name: hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + short: SSDEEP hash. + type: keyword group: 2 name: hash prefix: hash. @@ -6379,6 +6416,17 @@ process: original_fieldset: hash short: SHA512 hash. type: keyword + process.hash.ssdeep: + dashed_name: process-hash-ssdeep + description: SSDEEP hash. + flat_name: process.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword process.name: beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. @@ -6614,6 +6662,17 @@ process: original_fieldset: hash short: SHA512 hash. type: keyword + process.parent.hash.ssdeep: + dashed_name: process-parent-hash-ssdeep + description: SSDEEP hash. + flat_name: process.parent.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword process.parent.name: beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 1582968a6f..aebee4c182 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -523,6 +523,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -853,6 +857,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1843,6 +1851,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1927,6 +1939,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json index 7491296fa2..f791052452 100644 --- a/experimental/generated/elasticsearch/component/dll.json +++ b/experimental/generated/elasticsearch/component/dll.json @@ -46,6 +46,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json index 58379893c1..0ae17a7b92 100644 --- a/experimental/generated/elasticsearch/component/file.json +++ b/experimental/generated/elasticsearch/component/file.json @@ -82,6 +82,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json index 9fad9bcc0c..ed0330dafa 100644 --- a/experimental/generated/elasticsearch/component/process.json +++ b/experimental/generated/elasticsearch/component/process.json @@ -78,6 +78,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -162,6 +166,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index d31d592579..75b3f4a862 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -899,6 +899,12 @@ ignore_above: 1024 description: SHA512 hash. default_field: false + - name: hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false - name: name level: core type: keyword @@ -1630,6 +1636,12 @@ type: keyword ignore_above: 1024 description: SHA512 hash. + - name: hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false - name: inode level: extended type: keyword @@ -2016,11 +2028,16 @@ - name: hash title: Hash group: 2 - description: 'The hash fields represent different hash algorithms and their values. + description: 'The hash fields represent different bitwise hash algorithms and + their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators - as appropriate (snake case, e.g. sha3_512).' + as appropriate (snake case, e.g. sha3_512). + + Note that this fieldset is used for common hashes that may be computed over + a range of generic bytes. Entity-specific hashes such as ja3 or imphash are + placed in the fieldsets to which they relate (tls and pe, respectively).' type: group fields: - name: md5 @@ -2043,6 +2060,12 @@ type: keyword ignore_above: 1024 description: SHA512 hash. + - name: ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false - name: host title: Host group: 2 @@ -3402,6 +3425,12 @@ type: keyword ignore_above: 1024 description: SHA512 hash. + - name: hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false - name: name level: extended type: wildcard @@ -3547,6 +3576,12 @@ ignore_above: 1024 description: SHA512 hash. default_field: false + - name: parent.hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false - name: parent.name level: extended type: wildcard diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 0d13e795b4..68c90ecb74 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -105,6 +105,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. 1.9.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. 1.9.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. 1.9.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. 1.9.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. 1.9.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. @@ -183,6 +184,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. 1.9.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. 1.9.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash. 1.9.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. 1.9.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." 1.9.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. @@ -385,6 +387,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. 1.9.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. 1.9.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. 1.9.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name. 1.9.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. 1.9.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. @@ -404,6 +407,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. 1.9.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. 1.9.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. 1.9.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name. 1.9.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. 1.9.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 73efa64c18..f30e8aced4 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1252,6 +1252,17 @@ dll.hash.sha512: original_fieldset: hash short: SHA512 hash. type: keyword +dll.hash.ssdeep: + dashed_name: dll-hash-ssdeep + description: SSDEEP hash. + flat_name: dll.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword dll.name: dashed_name: dll-name description: 'Name of the library. @@ -2676,6 +2687,17 @@ file.hash.sha512: original_fieldset: hash short: SHA512 hash. type: keyword +file.hash.ssdeep: + dashed_name: file-hash-ssdeep + description: SSDEEP hash. + flat_name: file.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword file.inode: dashed_name: file-inode description: Inode representing the file in the filesystem. @@ -5163,6 +5185,17 @@ process.hash.sha512: original_fieldset: hash short: SHA512 hash. type: keyword +process.hash.ssdeep: + dashed_name: process-hash-ssdeep + description: SSDEEP hash. + flat_name: process.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword process.name: beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. @@ -5398,6 +5431,17 @@ process.parent.hash.sha512: original_fieldset: hash short: SHA512 hash. type: keyword +process.parent.hash.ssdeep: + dashed_name: process-parent-hash-ssdeep + description: SSDEEP hash. + flat_name: process.parent.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword process.parent.name: beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 1461638964..8c15d879d4 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1575,6 +1575,17 @@ dll: original_fieldset: hash short: SHA512 hash. type: keyword + dll.hash.ssdeep: + dashed_name: dll-hash-ssdeep + description: SSDEEP hash. + flat_name: dll.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword dll.name: dashed_name: dll-name description: 'Name of the library. @@ -3101,6 +3112,17 @@ file: original_fieldset: hash short: SHA512 hash. type: keyword + file.hash.ssdeep: + dashed_name: file-hash-ssdeep + description: SSDEEP hash. + flat_name: file.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword file.inode: dashed_name: file-inode description: Inode representing the file in the filesystem. @@ -3833,11 +3855,16 @@ group: title: Group type: group hash: - description: 'The hash fields represent different hash algorithms and their values. + description: 'The hash fields represent different bitwise hash algorithms and their + values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators - as appropriate (snake case, e.g. sha3_512).' + as appropriate (snake case, e.g. sha3_512). + + Note that this fieldset is used for common hashes that may be computed over a + range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed + in the fieldsets to which they relate (tls and pe, respectively).' fields: hash.md5: dashed_name: hash-md5 @@ -3879,6 +3906,16 @@ hash: normalize: [] short: SHA512 hash. type: keyword + hash.ssdeep: + dashed_name: hash-ssdeep + description: SSDEEP hash. + flat_name: hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + short: SSDEEP hash. + type: keyword group: 2 name: hash prefix: hash. @@ -6236,6 +6273,17 @@ process: original_fieldset: hash short: SHA512 hash. type: keyword + process.hash.ssdeep: + dashed_name: process-hash-ssdeep + description: SSDEEP hash. + flat_name: process.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword process.name: beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. @@ -6471,6 +6519,17 @@ process: original_fieldset: hash short: SHA512 hash. type: keyword + process.parent.hash.ssdeep: + dashed_name: process-parent-hash-ssdeep + description: SSDEEP hash. + flat_name: process.parent.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword process.parent.name: beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 6b84ad5897..5d91ba5198 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -526,6 +526,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -864,6 +868,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1827,6 +1835,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1914,6 +1926,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 2f02eb6e41..85c3f90970 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -510,6 +510,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -840,6 +844,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1780,6 +1788,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1864,6 +1876,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json index 8e878c310e..5c4ff06d3f 100644 --- a/generated/elasticsearch/component/dll.json +++ b/generated/elasticsearch/component/dll.json @@ -46,6 +46,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json index a2f17562f9..10b9ed8f62 100644 --- a/generated/elasticsearch/component/file.json +++ b/generated/elasticsearch/component/file.json @@ -82,6 +82,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json index 60ad49260b..f214a3c6bd 100644 --- a/generated/elasticsearch/component/process.json +++ b/generated/elasticsearch/component/process.json @@ -78,6 +78,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -162,6 +166,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/schemas/hash.yml b/schemas/hash.yml index cc44dfcc8b..77aeb29a5d 100644 --- a/schemas/hash.yml +++ b/schemas/hash.yml @@ -5,12 +5,16 @@ type: group short: Hashes, usually file hashes. description: > - The hash fields represent different hash algorithms and their values. + The hash fields represent different bitwise hash algorithms and their values. Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + Note that this fieldset is used for common hashes that may be computed + over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are + placed in the fieldsets to which they relate (tls and pe, respectively). + reusable: top_level: false expected: @@ -39,3 +43,8 @@ level: extended type: keyword description: SHA512 hash. + + - name: ssdeep + level: extended + type: keyword + description: SSDEEP hash. From bc1f9af3f51d363228f24f3ab6b5b9685fe0f1e4 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Fri, 29 Jan 2021 11:55:54 -0600 Subject: [PATCH 71/90] [CI] Switch to GitHub actions (#1236) (#1245) Co-authored-by: Eric Beahan Co-authored-by: Andrew Stucki --- .github/workflows/test.yml | 19 +++++++++++++++++++ .travis.yml | 29 ----------------------------- 2 files changed, 19 insertions(+), 29 deletions(-) create mode 100644 .github/workflows/test.yml delete mode 100644 .travis.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000000..0e4a5703f9 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,19 @@ +name: Tests + +on: [push, pull_request] + +jobs: + tests: + runs-on: ubuntu-20.04 + name: Unit Tests + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-go@v2 + with: + go-version: '^1.13.1' + - uses: actions/setup-python@v2 + with: + python-version: '3.x' + - run: git fetch --prune --unshallow --tags + - run: make setup + - run: make check diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index a56a30a073..0000000000 --- a/.travis.yml +++ /dev/null @@ -1,29 +0,0 @@ -sudo: false - -language: go - -os: -- linux - -dist: bionic - -go: -- 1.13.x - -install: -- git fetch --tags --all -- make setup - -addons: - apt: - update: true - packages: - - libxml2-utils - - python3-venv - - xsltproc - -jobs: - include: - - stage: check - script: - - make check From 30e4a1081b8f26760cd818aed9128e81be030ad4 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Fri, 29 Jan 2021 12:08:49 -0600 Subject: [PATCH 72/90] Revert wildcard adoption back to experimental stage (#1235) (#1243) --- CHANGELOG.next.md | 1 - docs/field-details.asciidoc | 312 ++++------ experimental/generated/ecs/ecs_flat.yml | 202 ------- experimental/generated/ecs/ecs_nested.yml | 216 ------- experimental/schemas/agent.yml | 5 + experimental/schemas/as.yml | 5 + experimental/schemas/client.yml | 7 + experimental/schemas/destination.yml | 7 + experimental/schemas/dns.yml | 9 + experimental/schemas/error.yml | 9 + experimental/schemas/file.yml | 9 + experimental/schemas/geo.yml | 5 + experimental/schemas/host.yml | 3 + experimental/schemas/http.yml | 9 + experimental/schemas/log.yml | 7 + experimental/schemas/organization.yml | 5 + experimental/schemas/os.yml | 7 + experimental/schemas/pe.yml | 5 + experimental/schemas/process.yml | 15 + experimental/schemas/registry.yml | 9 + experimental/schemas/server.yml | 7 + experimental/schemas/source.yml | 7 + experimental/schemas/tls.yml | 11 + experimental/schemas/url.yml | 13 + experimental/schemas/user.yml | 9 + experimental/schemas/user_agent.yml | 5 + experimental/schemas/x509.yml | 7 + generated/beats/fields.ecs.yml | 325 +++++++---- generated/csv/fields.csv | 204 +++---- generated/ecs/ecs_flat.yml | 507 +++++++--------- generated/ecs/ecs_nested.yml | 542 +++++++----------- generated/elasticsearch/7/template.json | 305 ++++++---- generated/elasticsearch/component/agent.json | 3 +- generated/elasticsearch/component/client.json | 21 +- .../elasticsearch/component/destination.json | 21 +- generated/elasticsearch/component/dll.json | 3 +- generated/elasticsearch/component/dns.json | 6 +- generated/elasticsearch/component/error.json | 8 +- generated/elasticsearch/component/file.json | 18 +- generated/elasticsearch/component/host.json | 21 +- generated/elasticsearch/component/http.json | 9 +- generated/elasticsearch/component/log.json | 6 +- .../elasticsearch/component/observer.json | 9 +- .../elasticsearch/component/organization.json | 3 +- .../elasticsearch/component/process.json | 42 +- .../elasticsearch/component/registry.json | 9 +- generated/elasticsearch/component/server.json | 21 +- generated/elasticsearch/component/source.json | 21 +- generated/elasticsearch/component/tls.json | 24 +- generated/elasticsearch/component/url.json | 15 +- generated/elasticsearch/component/user.json | 36 +- .../elasticsearch/component/user_agent.json | 9 +- schemas/agent.yml | 3 +- schemas/as.yml | 3 +- schemas/client.yml | 6 +- schemas/destination.yml | 6 +- schemas/dns.yml | 6 +- schemas/error.yml | 7 +- schemas/file.yml | 9 +- schemas/geo.yml | 3 +- schemas/host.yml | 3 +- schemas/http.yml | 13 +- schemas/log.yml | 6 +- schemas/organization.yml | 3 +- schemas/os.yml | 6 +- schemas/pe.yml | 3 +- schemas/process.yml | 18 +- schemas/registry.yml | 9 +- schemas/server.yml | 6 +- schemas/source.yml | 6 +- schemas/tls.yml | 12 +- schemas/url.yml | 15 +- schemas/user.yml | 9 +- schemas/user_agent.yml | 3 +- schemas/x509.yml | 6 +- use-cases/auditbeat.md | 4 +- use-cases/filebeat-apache-access.md | 4 +- use-cases/kubernetes.md | 2 +- use-cases/metricbeat.md | 2 +- use-cases/web-logs.md | 6 +- 80 files changed, 1492 insertions(+), 1781 deletions(-) create mode 100644 experimental/schemas/agent.yml create mode 100644 experimental/schemas/as.yml create mode 100644 experimental/schemas/client.yml create mode 100644 experimental/schemas/destination.yml create mode 100644 experimental/schemas/dns.yml create mode 100644 experimental/schemas/error.yml create mode 100644 experimental/schemas/file.yml create mode 100644 experimental/schemas/geo.yml create mode 100644 experimental/schemas/http.yml create mode 100644 experimental/schemas/log.yml create mode 100644 experimental/schemas/organization.yml create mode 100644 experimental/schemas/os.yml create mode 100644 experimental/schemas/pe.yml create mode 100644 experimental/schemas/process.yml create mode 100644 experimental/schemas/registry.yml create mode 100644 experimental/schemas/server.yml create mode 100644 experimental/schemas/source.yml create mode 100644 experimental/schemas/tls.yml create mode 100644 experimental/schemas/url.yml create mode 100644 experimental/schemas/user.yml create mode 100644 experimental/schemas/user_agent.yml create mode 100644 experimental/schemas/x509.yml diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 9baec5b634..90e3574f3f 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -45,7 +45,6 @@ Thanks, you're awesome :-) --> #### Improvements * Event categorization fields GA. #1067 -* `wildcard` field type adoption. #1098 * Note `[` and `]` bracket characters may enclose a literal IPv6 address when populating `url.domain`. #1131 * Reinforce the exclusion of the leading dot from `url.extension`. #1151 diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index efacab4e1b..b1d4dbe8be 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -115,13 +115,11 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha [[field-agent-build-original]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Extended build information for the agent. +| Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. -type: wildcard +type: keyword @@ -257,11 +255,9 @@ example: `15169` [[field-as-organization-name]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] +| Organization name. -Organization name. - -type: wildcard +type: keyword Multi-fields: @@ -345,11 +341,9 @@ example: `184` [[field-client-domain]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] +| Client domain. -Client domain. - -type: wildcard +type: keyword @@ -463,15 +457,13 @@ type: long [[field-client-registered-domain]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -The highest registered client domain, stripped of the subdomain. +| The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword @@ -1041,11 +1033,9 @@ example: `184` [[field-destination-domain]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Destination domain. +| Destination domain. -type: wildcard +type: keyword @@ -1159,15 +1149,13 @@ type: long [[field-destination-registered-domain]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -The highest registered destination domain, stripped of the subdomain. +| The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword @@ -1408,13 +1396,11 @@ example: `IN` [[field-dns-answers-data]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -The data describing the resource. +| The data describing the resource. The meaning of this data depends on the type and class of the resource record. -type: wildcard +type: keyword @@ -1547,13 +1533,11 @@ example: `IN` [[field-dns-question-name]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -The name being queried. +| The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. -type: wildcard +type: keyword @@ -1796,11 +1780,9 @@ type: text [[field-error-stack-trace]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -The stack trace of this error in plain text. +| The stack trace of this error in plain text. -type: wildcard +type: keyword Multi-fields: @@ -1820,11 +1802,9 @@ Multi-fields: [[field-error-type]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -The type of the error, for example the class name of the exception. +| The type of the error, for example the class name of the exception. -type: wildcard +type: keyword @@ -2461,11 +2441,9 @@ example: `sda` [[field-file-directory]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] +| Directory where the file is located. It should include the drive letter, when appropriate. -Directory where the file is located. It should include the drive letter, when appropriate. - -type: wildcard +type: keyword @@ -2643,11 +2621,9 @@ example: `alice` [[field-file-path]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Full path to the file, including the file name. It should include the drive letter, when appropriate. +| Full path to the file, including the file name. It should include the drive letter, when appropriate. -type: wildcard +type: keyword Multi-fields: @@ -2685,11 +2661,9 @@ example: `16384` [[field-file-target-path]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Target path for symlinks. +| Target path for symlinks. -type: wildcard +type: keyword Multi-fields: @@ -2882,15 +2856,13 @@ example: `{ "lon": -73.614830, "lat": 45.505918 }` [[field-geo-name]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -User-defined description of a location, at the level of granularity they care about. +| User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword @@ -3184,13 +3156,11 @@ example: `CONTOSO` [[field-host-hostname]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Hostname of the host. +| Hostname of the host. It normally contains what the `hostname` command returns on the host machine. -type: wildcard +type: keyword @@ -3383,11 +3353,9 @@ example: `887` [[field-http-request-body-content]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] +| The full HTTP request body. -The full HTTP request body. - -type: wildcard +type: keyword Multi-fields: @@ -3481,11 +3449,9 @@ example: `image/gif` [[field-http-request-referrer]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Referrer for this HTTP request. +| Referrer for this HTTP request. -type: wildcard +type: keyword @@ -3515,11 +3481,9 @@ example: `887` [[field-http-response-body-content]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -The full HTTP response body. +| The full HTTP response body. -type: wildcard +type: keyword Multi-fields: @@ -3699,13 +3663,11 @@ The details specific to your event source are typically not logged under `log.*` [[field-log-file-path]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +| Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. -type: wildcard +type: keyword @@ -3739,11 +3701,9 @@ example: `error` [[field-log-logger]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. +| The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. -type: wildcard +type: keyword @@ -4537,11 +4497,9 @@ type: keyword [[field-organization-name]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Organization name. +| Organization name. -type: wildcard +type: keyword Multi-fields: @@ -4593,11 +4551,9 @@ example: `debian` [[field-os-full]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Operating system name, including the version or code name. +| Operating system name, including the version or code name. -type: wildcard +type: keyword Multi-fields: @@ -4633,11 +4589,9 @@ example: `4.4.0-112-generic` [[field-os-name]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Operating system name, without the version. +| Operating system name, without the version. -type: wildcard +type: keyword Multi-fields: @@ -5047,11 +5001,9 @@ example: `0c6803c4e922103c4dca5963aad36ddf` [[field-pe-original-file-name]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] +| Internal name of the file, provided at compile-time. -Internal name of the file, provided at compile-time. - -type: wildcard +type: keyword @@ -5148,13 +5100,11 @@ example: `4` [[field-process-command-line]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Full command line that started the process, including the absolute path to the executable, and all arguments. +| Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword Multi-fields: @@ -5194,11 +5144,9 @@ example: `c2c455d9f99375d` [[field-process-executable]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Absolute path to the process executable. +| Absolute path to the process executable. -type: wildcard +type: keyword Multi-fields: @@ -5236,13 +5184,11 @@ example: `137` [[field-process-name]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Process name. +| Process name. Sometimes called program name or similar. -type: wildcard +type: keyword Multi-fields: @@ -5342,11 +5288,9 @@ example: `4242` [[field-process-thread-name]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] +| Thread name. -Thread name. - -type: wildcard +type: keyword @@ -5360,13 +5304,11 @@ example: `thread-0` [[field-process-title]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Process title. +| Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword Multi-fields: @@ -5402,11 +5344,9 @@ example: `1325` [[field-process-working-directory]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -The working directory of the process. +| The working directory of the process. -type: wildcard +type: keyword Multi-fields: @@ -5507,13 +5447,11 @@ example: `ZQBuAC0AVQBTAAAAZQBuAAAAAAA=` [[field-registry-data-strings]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Content when writing string types. +| Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: wildcard +type: keyword Note: this field should contain an array of values. @@ -5562,11 +5500,9 @@ example: `HKLM` [[field-registry-key]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] +| Hive-relative path of keys. -Hive-relative path of keys. - -type: wildcard +type: keyword @@ -5580,11 +5516,9 @@ example: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti [[field-registry-path]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Full path, including hive, key and value +| Full path, including hive, key and value -type: wildcard +type: keyword @@ -5947,11 +5881,9 @@ example: `184` [[field-server-domain]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Server domain. +| Server domain. -type: wildcard +type: keyword @@ -6065,15 +5997,13 @@ type: long [[field-server-registered-domain]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -The highest registered server domain, stripped of the subdomain. +| The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword @@ -6362,11 +6292,9 @@ example: `184` [[field-source-domain]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Source domain. +| Source domain. -type: wildcard +type: keyword @@ -6480,15 +6408,13 @@ type: long [[field-source-registered-domain]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -The highest registered source domain, stripped of the subdomain. +| The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword @@ -6907,11 +6833,9 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` [[field-tls-client-issuer]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +| Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -type: wildcard +type: keyword @@ -6989,11 +6913,9 @@ example: `www.elastic.co` [[field-tls-client-subject]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Distinguished name of subject of the x.509 certificate presented by the client. +| Distinguished name of subject of the x.509 certificate presented by the client. -type: wildcard +type: keyword @@ -7173,11 +7095,9 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` [[field-tls-server-issuer]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] +| Subject of the issuer of the x.509 certificate presented by the server. -Subject of the issuer of the x.509 certificate presented by the server. - -type: wildcard +type: keyword @@ -7239,11 +7159,9 @@ example: `1970-01-01T00:00:00.000Z` [[field-tls-server-subject]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] +| Subject of the x.509 certificate presented by the server. -Subject of the x.509 certificate presented by the server. - -type: wildcard +type: keyword @@ -7408,15 +7326,13 @@ URL fields provide support for complete or partial URLs, and supports the breaki [[field-url-domain]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Domain of the url, such as "www.elastic.co". +| Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. -type: wildcard +type: keyword @@ -7470,11 +7386,9 @@ type: keyword [[field-url-full]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +| If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: wildcard +type: keyword Multi-fields: @@ -7494,15 +7408,13 @@ example: `https://www.elastic.co:443/search?q=elasticsearch#top` [[field-url-original]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Unmodified original url as seen in the event source. +| Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: wildcard +type: keyword Multi-fields: @@ -7538,11 +7450,9 @@ type: keyword [[field-url-path]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] +| Path of the request, such as "/search". -Path of the request, such as "/search". - -type: wildcard +type: keyword @@ -7590,15 +7500,13 @@ type: keyword [[field-url-registered-domain]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -The highest registered url domain, stripped of the subdomain. +| The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword @@ -7722,11 +7630,9 @@ type: keyword [[field-user-email]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -User email address. +| User email address. -type: wildcard +type: keyword @@ -7740,11 +7646,9 @@ type: wildcard [[field-user-full-name]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -User's full name, if available. +| User's full name, if available. -type: wildcard +type: keyword Multi-fields: @@ -7798,11 +7702,9 @@ type: keyword [[field-user-name]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Short name or login of the user. +| Short name or login of the user. -type: wildcard +type: keyword Multi-fields: @@ -7945,11 +7847,9 @@ example: `Safari` [[field-user-agent-original]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] +| Unparsed user_agent string. -Unparsed user_agent string. - -type: wildcard +type: keyword Multi-fields: @@ -8394,11 +8294,9 @@ example: `US` [[field-x509-issuer-distinguished-name]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Distinguished name (DN) of issuing certificate authority. +| Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword @@ -8654,11 +8552,9 @@ example: `US` [[field-x509-subject-distinguished-name]] <> -| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] - -Distinguished name (DN) of the certificate subject entity. +| Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index ce8874fbe8..4cab1099ae 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -18,8 +18,6 @@ short: Date/time when the event originated. type: date agent.build.original: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -130,8 +128,6 @@ client.as.number: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC @@ -159,8 +155,6 @@ client.bytes: short: Bytes sent from the client to the server. type: long client.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain @@ -229,8 +223,6 @@ client.geo.location: short: Longitude and latitude. type: geo_point client.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -336,8 +328,6 @@ client.port: short: Port of the client. type: long client.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -402,8 +392,6 @@ client.user.domain: short: Name of the directory the user is a member of. type: keyword client.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email @@ -414,8 +402,6 @@ client.user.email: short: User email address. type: wildcard client.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein @@ -493,8 +479,6 @@ client.user.id: short: Unique identifier of the user. type: keyword client.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert @@ -794,8 +778,6 @@ destination.as.number: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC @@ -823,8 +805,6 @@ destination.bytes: short: Bytes sent from the destination to the source. type: long destination.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain @@ -893,8 +873,6 @@ destination.geo.location: short: Longitude and latitude. type: geo_point destination.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -999,8 +977,6 @@ destination.port: short: Port of the destination. type: long destination.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -1065,8 +1041,6 @@ destination.user.domain: short: Name of the directory the user is a member of. type: keyword destination.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email @@ -1077,8 +1051,6 @@ destination.user.email: short: User email address. type: wildcard destination.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein @@ -1156,8 +1128,6 @@ destination.user.id: short: Unique identifier of the user. type: keyword destination.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert @@ -1398,8 +1368,6 @@ dll.pe.imphash: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -1453,8 +1421,6 @@ dns.answers.class: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. @@ -1555,8 +1521,6 @@ dns.question.class: short: The class of records being queried. type: keyword dns.question.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -1723,8 +1687,6 @@ error.message: short: Error message. type: text error.stack_trace: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. flat_name: error.stack_trace @@ -1739,8 +1701,6 @@ error.stack_trace: short: The stack trace of this error in plain text. type: wildcard error.type: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException @@ -2627,8 +2587,6 @@ file.device: short: Device that is the source of the file. type: keyword file.directory: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. @@ -2811,8 +2769,6 @@ file.owner: short: File owner's username. type: keyword file.path: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. @@ -2893,8 +2849,6 @@ file.pe.imphash: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -2930,8 +2884,6 @@ file.size: short: File size in bytes. type: long file.target_path: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path @@ -3009,8 +2961,6 @@ file.x509.issuer.country: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -3200,8 +3150,6 @@ file.x509.subject.country: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -3426,8 +3374,6 @@ host.geo.location: short: Longitude and latitude. type: geo_point host.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3469,8 +3415,6 @@ host.geo.region_name: short: Region name. type: keyword host.hostname: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. @@ -3582,8 +3526,6 @@ host.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -3612,8 +3554,6 @@ host.os.kernel: short: Operating system kernel version as a raw string. type: keyword host.os.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X @@ -3709,8 +3649,6 @@ host.user.domain: short: Name of the directory the user is a member of. type: keyword host.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email @@ -3721,8 +3659,6 @@ host.user.email: short: User email address. type: wildcard host.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein @@ -3800,8 +3736,6 @@ host.user.id: short: Unique identifier of the user. type: keyword host.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert @@ -3842,8 +3776,6 @@ http.request.body.bytes: short: Size in bytes of the request body. type: long http.request.body.content: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world @@ -3918,8 +3850,6 @@ http.request.mime_type: short: Mime type of the body of the request. type: keyword http.request.referrer: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ @@ -3941,8 +3871,6 @@ http.response.body.bytes: short: Size in bytes of the response body. type: long http.response.body.content: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world @@ -4022,8 +3950,6 @@ labels: short: Custom key/value pairs. type: object log.file.path: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -4054,8 +3980,6 @@ log.level: short: Log level of the log event. type: keyword log.logger: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. @@ -4586,8 +4510,6 @@ observer.geo.location: short: Longitude and latitude. type: geo_point observer.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -4774,8 +4696,6 @@ observer.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -4804,8 +4724,6 @@ observer.os.kernel: short: Operating system kernel version as a raw string. type: keyword observer.os.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X @@ -4931,8 +4849,6 @@ organization.id: short: Unique identifier for the organization. type: keyword organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name @@ -5193,8 +5109,6 @@ process.code_signature.valid: content. type: boolean process.command_line: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -5232,8 +5146,6 @@ process.entity_id: short: Unique identifier for the process. type: keyword process.executable: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -5317,8 +5229,6 @@ process.hash.ssdeep: short: SSDEEP hash. type: keyword process.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-name description: 'Process name. @@ -5435,8 +5345,6 @@ process.parent.code_signature.valid: content. type: boolean process.parent.command_line: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -5476,8 +5384,6 @@ process.parent.entity_id: short: Unique identifier for the process. type: keyword process.parent.executable: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -5563,8 +5469,6 @@ process.parent.hash.ssdeep: short: SSDEEP hash. type: keyword process.parent.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-parent-name description: 'Process name. @@ -5647,8 +5551,6 @@ process.parent.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -5730,8 +5632,6 @@ process.parent.thread.id: short: Thread ID. type: long process.parent.thread.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 @@ -5743,8 +5643,6 @@ process.parent.thread.name: short: Thread name. type: wildcard process.parent.title: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-parent-title description: 'Process title. @@ -5774,8 +5672,6 @@ process.parent.uptime: short: Seconds the process has been up. type: long process.parent.working_directory: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice @@ -5856,8 +5752,6 @@ process.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -5934,8 +5828,6 @@ process.thread.id: short: Thread ID. type: long process.thread.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 @@ -5946,8 +5838,6 @@ process.thread.name: short: Thread name. type: wildcard process.title: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-title description: 'Process title. @@ -5975,8 +5865,6 @@ process.uptime: short: Seconds the process has been up. type: long process.working_directory: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice @@ -6007,8 +5895,6 @@ registry.data.bytes: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -6048,8 +5934,6 @@ registry.hive: short: Abbreviated name for the hive. type: keyword registry.key: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -6060,8 +5944,6 @@ registry.key: short: Hive-relative path of keys. type: wildcard registry.path: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution @@ -6279,8 +6161,6 @@ server.as.number: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC @@ -6308,8 +6188,6 @@ server.bytes: short: Bytes sent from the server to the client. type: long server.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain @@ -6378,8 +6256,6 @@ server.geo.location: short: Longitude and latitude. type: geo_point server.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -6485,8 +6361,6 @@ server.port: short: Port of the server. type: long server.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -6551,8 +6425,6 @@ server.user.domain: short: Name of the directory the user is a member of. type: keyword server.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email @@ -6563,8 +6435,6 @@ server.user.email: short: User email address. type: wildcard server.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein @@ -6642,8 +6512,6 @@ server.user.id: short: Unique identifier of the user. type: keyword server.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert @@ -6812,8 +6680,6 @@ source.as.number: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC @@ -6841,8 +6707,6 @@ source.bytes: short: Bytes sent from the source to the destination. type: long source.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain @@ -6911,8 +6775,6 @@ source.geo.location: short: Longitude and latitude. type: geo_point source.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -7018,8 +6880,6 @@ source.port: short: Port of the source. type: long source.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -7084,8 +6944,6 @@ source.user.domain: short: Name of the directory the user is a member of. type: keyword source.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email @@ -7096,8 +6954,6 @@ source.user.email: short: User email address. type: wildcard source.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein @@ -7175,8 +7031,6 @@ source.user.id: short: Unique identifier of the user. type: keyword source.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert @@ -7455,8 +7309,6 @@ tls.client.hash.sha256: certificate offered by the client. type: keyword tls.client.issuer: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. @@ -7515,8 +7367,6 @@ tls.client.server_name: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. @@ -7582,8 +7432,6 @@ tls.client.x509.issuer.country: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -7773,8 +7621,6 @@ tls.client.x509.subject.country: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -7965,8 +7811,6 @@ tls.server.hash.sha256: certificate offered by the server. type: keyword tls.server.issuer: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -8010,8 +7854,6 @@ tls.server.not_before: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -8063,8 +7905,6 @@ tls.server.x509.issuer.country: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -8254,8 +8094,6 @@ tls.server.x509.subject.country: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -8380,8 +8218,6 @@ transaction.id: short: Unique identifier of the transaction within the scope of its trace. type: keyword url.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -8430,8 +8266,6 @@ url.fragment: short: Portion of the url after the `#`. type: keyword url.full: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. @@ -8448,8 +8282,6 @@ url.full: short: Full unparsed URL. type: wildcard url.original: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -8480,8 +8312,6 @@ url.password: short: Password of the request. type: keyword url.path: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path @@ -8518,8 +8348,6 @@ url.query: short: Query string of the request. type: keyword url.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -8607,8 +8435,6 @@ user.changes.domain: short: Name of the directory the user is a member of. type: keyword user.changes.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-changes-email description: User email address. flat_name: user.changes.email @@ -8619,8 +8445,6 @@ user.changes.email: short: User email address. type: wildcard user.changes.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-changes-full-name description: User's full name, if available. example: Albert Einstein @@ -8698,8 +8522,6 @@ user.changes.id: short: Unique identifier of the user. type: keyword user.changes.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-changes-name description: Short name or login of the user. example: albert @@ -8754,8 +8576,6 @@ user.effective.domain: short: Name of the directory the user is a member of. type: keyword user.effective.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-effective-email description: User email address. flat_name: user.effective.email @@ -8766,8 +8586,6 @@ user.effective.email: short: User email address. type: wildcard user.effective.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-effective-full-name description: User's full name, if available. example: Albert Einstein @@ -8845,8 +8663,6 @@ user.effective.id: short: Unique identifier of the user. type: keyword user.effective.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-effective-name description: Short name or login of the user. example: albert @@ -8876,8 +8692,6 @@ user.effective.roles: short: Array of user roles at the time of the event. type: keyword user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email @@ -8887,8 +8701,6 @@ user.email: short: User email address. type: wildcard user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein @@ -8963,8 +8775,6 @@ user.id: short: Unique identifier of the user. type: keyword user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert @@ -9005,8 +8815,6 @@ user.target.domain: short: Name of the directory the user is a member of. type: keyword user.target.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-target-email description: User email address. flat_name: user.target.email @@ -9017,8 +8825,6 @@ user.target.email: short: User email address. type: wildcard user.target.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-target-full-name description: User's full name, if available. example: Albert Einstein @@ -9096,8 +8902,6 @@ user.target.id: short: Unique identifier of the user. type: keyword user.target.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-target-name description: Short name or login of the user. example: albert @@ -9149,8 +8953,6 @@ user_agent.name: short: Name of the user agent. type: keyword user_agent.original: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 @@ -9179,8 +8981,6 @@ user_agent.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -9209,8 +9009,6 @@ user_agent.os.kernel: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index fcd725bb6b..ef1e3567d2 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -8,8 +8,6 @@ agent: event happened or the measurement was taken.' fields: agent.build.original: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -120,8 +118,6 @@ as: short: Unique number allocated to the autonomous system. type: long as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: as-organization-name description: Organization name. example: Google LLC @@ -277,8 +273,6 @@ client: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC @@ -306,8 +300,6 @@ client: short: Bytes sent from the client to the server. type: long client.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain @@ -376,8 +368,6 @@ client: short: Longitude and latitude. type: geo_point client.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -483,8 +473,6 @@ client: short: Port of the client. type: long client.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -549,8 +537,6 @@ client: short: Name of the directory the user is a member of. type: keyword client.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email @@ -561,8 +547,6 @@ client: short: User email address. type: wildcard client.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein @@ -640,8 +624,6 @@ client: short: Unique identifier of the user. type: keyword client.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert @@ -1106,8 +1088,6 @@ destination: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC @@ -1135,8 +1115,6 @@ destination: short: Bytes sent from the destination to the source. type: long destination.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain @@ -1205,8 +1183,6 @@ destination: short: Longitude and latitude. type: geo_point destination.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -1311,8 +1287,6 @@ destination: short: Port of the destination. type: long destination.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -1377,8 +1351,6 @@ destination: short: Name of the directory the user is a member of. type: keyword destination.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email @@ -1389,8 +1361,6 @@ destination: short: User email address. type: wildcard destination.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein @@ -1468,8 +1438,6 @@ destination: short: Unique identifier of the user. type: keyword destination.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert @@ -1744,8 +1712,6 @@ dll: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -1827,8 +1793,6 @@ dns: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. @@ -1931,8 +1895,6 @@ dns: short: The class of records being queried. type: keyword dns.question.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -2120,8 +2082,6 @@ error: short: Error message. type: text error.stack_trace: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. flat_name: error.stack_trace @@ -2136,8 +2096,6 @@ error: short: The stack trace of this error in plain text. type: wildcard error.type: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException @@ -3075,8 +3033,6 @@ file: short: Device that is the source of the file. type: keyword file.directory: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. @@ -3259,8 +3215,6 @@ file: short: File owner's username. type: keyword file.path: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. @@ -3341,8 +3295,6 @@ file: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -3378,8 +3330,6 @@ file: short: File size in bytes. type: long file.target_path: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path @@ -3457,8 +3407,6 @@ file: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -3648,8 +3596,6 @@ file: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -3809,8 +3755,6 @@ geo: short: Longitude and latitude. type: geo_point geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -4130,8 +4074,6 @@ host: short: Longitude and latitude. type: geo_point host.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -4173,8 +4115,6 @@ host: short: Region name. type: keyword host.hostname: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. @@ -4287,8 +4227,6 @@ host: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -4317,8 +4255,6 @@ host: short: Operating system kernel version as a raw string. type: keyword host.os.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X @@ -4416,8 +4352,6 @@ host: short: Name of the directory the user is a member of. type: keyword host.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email @@ -4428,8 +4362,6 @@ host: short: User email address. type: wildcard host.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein @@ -4507,8 +4439,6 @@ host: short: Unique identifier of the user. type: keyword host.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert @@ -4573,8 +4503,6 @@ http: short: Size in bytes of the request body. type: long http.request.body.content: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world @@ -4651,8 +4579,6 @@ http: short: Mime type of the body of the request. type: keyword http.request.referrer: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ @@ -4674,8 +4600,6 @@ http: short: Size in bytes of the response body. type: long http.response.body.content: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world @@ -4813,8 +4737,6 @@ log: but rather in `event.*` or in other ECS fields.' fields: log.file.path: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -4845,8 +4767,6 @@ log: short: Log level of the log event. type: keyword log.logger: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. @@ -5408,8 +5328,6 @@ observer: short: Longitude and latitude. type: geo_point observer.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -5597,8 +5515,6 @@ observer: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -5627,8 +5543,6 @@ observer: short: Operating system kernel version as a raw string. type: keyword observer.os.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X @@ -5794,8 +5708,6 @@ organization: short: Unique identifier for the organization. type: keyword organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name @@ -5830,8 +5742,6 @@ os: short: OS family (such as redhat, debian, freebsd, windows). type: keyword os.full: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -5858,8 +5768,6 @@ os: short: Operating system kernel version as a raw string. type: keyword os.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: os-name description: Operating system name, without the version. example: Mac OS X @@ -6159,8 +6067,6 @@ pe: short: A hash of the imports in a PE file. type: keyword pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -6304,8 +6210,6 @@ process: content. type: boolean process.command_line: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6343,8 +6247,6 @@ process: short: Unique identifier for the process. type: keyword process.executable: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -6428,8 +6330,6 @@ process: short: SSDEEP hash. type: keyword process.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-name description: 'Process name. @@ -6546,8 +6446,6 @@ process: content. type: boolean process.parent.command_line: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6587,8 +6485,6 @@ process: short: Unique identifier for the process. type: keyword process.parent.executable: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -6674,8 +6570,6 @@ process: short: SSDEEP hash. type: keyword process.parent.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-parent-name description: 'Process name. @@ -6758,8 +6652,6 @@ process: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -6841,8 +6733,6 @@ process: short: Thread ID. type: long process.parent.thread.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 @@ -6854,8 +6744,6 @@ process: short: Thread name. type: wildcard process.parent.title: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-parent-title description: 'Process title. @@ -6885,8 +6773,6 @@ process: short: Seconds the process has been up. type: long process.parent.working_directory: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice @@ -6967,8 +6853,6 @@ process: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -7045,8 +6929,6 @@ process: short: Thread ID. type: long process.thread.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 @@ -7057,8 +6939,6 @@ process: short: Thread name. type: wildcard process.title: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-title description: 'Process title. @@ -7086,8 +6966,6 @@ process: short: Seconds the process has been up. type: long process.working_directory: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice @@ -7151,8 +7029,6 @@ registry: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -7192,8 +7068,6 @@ registry: short: Abbreviated name for the hive. type: keyword registry.key: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -7204,8 +7078,6 @@ registry: short: Hive-relative path of keys. type: wildcard registry.path: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution @@ -7480,8 +7352,6 @@ server: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC @@ -7509,8 +7379,6 @@ server: short: Bytes sent from the server to the client. type: long server.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain @@ -7579,8 +7447,6 @@ server: short: Longitude and latitude. type: geo_point server.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -7686,8 +7552,6 @@ server: short: Port of the server. type: long server.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -7752,8 +7616,6 @@ server: short: Name of the directory the user is a member of. type: keyword server.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email @@ -7764,8 +7626,6 @@ server: short: User email address. type: wildcard server.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein @@ -7843,8 +7703,6 @@ server: short: Unique identifier of the user. type: keyword server.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert @@ -8057,8 +7915,6 @@ source: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC @@ -8086,8 +7942,6 @@ source: short: Bytes sent from the source to the destination. type: long source.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain @@ -8156,8 +8010,6 @@ source: short: Longitude and latitude. type: geo_point source.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -8263,8 +8115,6 @@ source: short: Port of the source. type: long source.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -8329,8 +8179,6 @@ source: short: Name of the directory the user is a member of. type: keyword source.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email @@ -8341,8 +8189,6 @@ source: short: User email address. type: wildcard source.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein @@ -8420,8 +8266,6 @@ source: short: Unique identifier of the user. type: keyword source.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert @@ -8714,8 +8558,6 @@ tls: of certificate offered by the client. type: keyword tls.client.issuer: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. @@ -8776,8 +8618,6 @@ tls: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. @@ -8844,8 +8684,6 @@ tls: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -9035,8 +8873,6 @@ tls: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -9227,8 +9063,6 @@ tls: of certificate offered by the server. type: keyword tls.server.issuer: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. @@ -9275,8 +9109,6 @@ tls: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -9328,8 +9160,6 @@ tls: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -9519,8 +9349,6 @@ tls: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -9696,8 +9524,6 @@ url: the breaking down into scheme, domain, path, and so on. fields: url.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -9747,8 +9573,6 @@ url: short: Portion of the url after the `#`. type: keyword url.full: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event @@ -9766,8 +9590,6 @@ url: short: Full unparsed URL. type: wildcard url.original: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -9798,8 +9620,6 @@ url: short: Password of the request. type: keyword url.path: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path @@ -9836,8 +9656,6 @@ url: short: Query string of the request. type: keyword url.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -9938,8 +9756,6 @@ user: short: Name of the directory the user is a member of. type: keyword user.changes.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-changes-email description: User email address. flat_name: user.changes.email @@ -9950,8 +9766,6 @@ user: short: User email address. type: wildcard user.changes.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-changes-full-name description: User's full name, if available. example: Albert Einstein @@ -10029,8 +9843,6 @@ user: short: Unique identifier of the user. type: keyword user.changes.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-changes-name description: Short name or login of the user. example: albert @@ -10085,8 +9897,6 @@ user: short: Name of the directory the user is a member of. type: keyword user.effective.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-effective-email description: User email address. flat_name: user.effective.email @@ -10097,8 +9907,6 @@ user: short: User email address. type: wildcard user.effective.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-effective-full-name description: User's full name, if available. example: Albert Einstein @@ -10176,8 +9984,6 @@ user: short: Unique identifier of the user. type: keyword user.effective.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-effective-name description: Short name or login of the user. example: albert @@ -10207,8 +10013,6 @@ user: short: Array of user roles at the time of the event. type: keyword user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email @@ -10218,8 +10022,6 @@ user: short: User email address. type: wildcard user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein @@ -10294,8 +10096,6 @@ user: short: Unique identifier of the user. type: keyword user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert @@ -10336,8 +10136,6 @@ user: short: Name of the directory the user is a member of. type: keyword user.target.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-target-email description: User email address. flat_name: user.target.email @@ -10348,8 +10146,6 @@ user: short: User email address. type: wildcard user.target.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-target-full-name description: User's full name, if available. example: Albert Einstein @@ -10427,8 +10223,6 @@ user: short: Unique identifier of the user. type: keyword user.target.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-target-name description: Short name or login of the user. example: albert @@ -10542,8 +10336,6 @@ user_agent: short: Name of the user agent. type: keyword user_agent.original: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 @@ -10572,8 +10364,6 @@ user_agent: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -10602,8 +10392,6 @@ user_agent: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X @@ -10984,8 +10772,6 @@ x509: short: List of country (C) codes type: keyword x509.issuer.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -11160,8 +10946,6 @@ x509: short: List of country (C) code type: keyword x509.subject.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/experimental/schemas/agent.yml b/experimental/schemas/agent.yml new file mode 100644 index 0000000000..d09e77111d --- /dev/null +++ b/experimental/schemas/agent.yml @@ -0,0 +1,5 @@ +--- +- name: agent + fields: + - name: build.original + type: wildcard diff --git a/experimental/schemas/as.yml b/experimental/schemas/as.yml new file mode 100644 index 0000000000..96cf45621c --- /dev/null +++ b/experimental/schemas/as.yml @@ -0,0 +1,5 @@ +--- +- name: as + fields: + - name: organization.name + type: wildcard diff --git a/experimental/schemas/client.yml b/experimental/schemas/client.yml new file mode 100644 index 0000000000..14ed3a9a37 --- /dev/null +++ b/experimental/schemas/client.yml @@ -0,0 +1,7 @@ +--- + - name: client + fields: + - name: domain + type: wildcard + - name: registered_domain + type: wildcard diff --git a/experimental/schemas/destination.yml b/experimental/schemas/destination.yml new file mode 100644 index 0000000000..d64a84c6be --- /dev/null +++ b/experimental/schemas/destination.yml @@ -0,0 +1,7 @@ +--- + - name: destination + fields: + - name: domain + type: wildcard + - name: registered_domain + type: wildcard diff --git a/experimental/schemas/dns.yml b/experimental/schemas/dns.yml new file mode 100644 index 0000000000..466859c09f --- /dev/null +++ b/experimental/schemas/dns.yml @@ -0,0 +1,9 @@ +--- +- name: dns + fields: + - name: question.name + type: wildcard + - name: answers + type: object + - name: answers.data + type: wildcard diff --git a/experimental/schemas/error.yml b/experimental/schemas/error.yml new file mode 100644 index 0000000000..f2004d3fe0 --- /dev/null +++ b/experimental/schemas/error.yml @@ -0,0 +1,9 @@ +--- +- name: error + fields: + - name: stack_trace + index: true + type: wildcard + + - name: type + type: wildcard diff --git a/experimental/schemas/file.yml b/experimental/schemas/file.yml new file mode 100644 index 0000000000..f4938d38be --- /dev/null +++ b/experimental/schemas/file.yml @@ -0,0 +1,9 @@ +--- +- name: file + fields: + - name: directory + type: wildcard + - name: path + type: wildcard + - name: target_path + type: wildcard diff --git a/experimental/schemas/geo.yml b/experimental/schemas/geo.yml new file mode 100644 index 0000000000..d3445a5a2b --- /dev/null +++ b/experimental/schemas/geo.yml @@ -0,0 +1,5 @@ +--- + - name: geo + fields: + - name: name + type: wildcard diff --git a/experimental/schemas/host.yml b/experimental/schemas/host.yml index eabc2f9af8..b7b57cfc09 100644 --- a/experimental/schemas/host.yml +++ b/experimental/schemas/host.yml @@ -60,3 +60,6 @@ description: > The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. + + - name: hostname + type: wildcard diff --git a/experimental/schemas/http.yml b/experimental/schemas/http.yml new file mode 100644 index 0000000000..1722cdc5e7 --- /dev/null +++ b/experimental/schemas/http.yml @@ -0,0 +1,9 @@ +--- +- name: http + fields: + - name: request.body.content + type: wildcard + - name: request.referrer + type: wildcard + - name: response.body.content + type: wildcard diff --git a/experimental/schemas/log.yml b/experimental/schemas/log.yml new file mode 100644 index 0000000000..8a2f2dd397 --- /dev/null +++ b/experimental/schemas/log.yml @@ -0,0 +1,7 @@ +--- +- name: log + fields: + - name: file.path + type: wildcard + - name: logger + type: wildcard diff --git a/experimental/schemas/organization.yml b/experimental/schemas/organization.yml new file mode 100644 index 0000000000..594581413b --- /dev/null +++ b/experimental/schemas/organization.yml @@ -0,0 +1,5 @@ +--- +- name: organization + fields: + - name: name + type: wildcard diff --git a/experimental/schemas/os.yml b/experimental/schemas/os.yml new file mode 100644 index 0000000000..ec9d71a79c --- /dev/null +++ b/experimental/schemas/os.yml @@ -0,0 +1,7 @@ +--- +- name: os + fields: + - name: name + type: wildcard + - name: full + type: wildcard diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml new file mode 100644 index 0000000000..77a0574348 --- /dev/null +++ b/experimental/schemas/pe.yml @@ -0,0 +1,5 @@ +--- +- name: pe + fields: + - name: original_file_name + type: wildcard diff --git a/experimental/schemas/process.yml b/experimental/schemas/process.yml new file mode 100644 index 0000000000..e759e97e86 --- /dev/null +++ b/experimental/schemas/process.yml @@ -0,0 +1,15 @@ +--- +- name: process + fields: + - name: command_line + type: wildcard + - name: executable + type: wildcard + - name: name + type: wildcard + - name: thread.name + type: wildcard + - name: title + type: wildcard + - name: working_directory + type: wildcard diff --git a/experimental/schemas/registry.yml b/experimental/schemas/registry.yml new file mode 100644 index 0000000000..66f6f6b22c --- /dev/null +++ b/experimental/schemas/registry.yml @@ -0,0 +1,9 @@ +--- +- name: registry + fields: + - name: key + type: wildcard + - name: path + type: wildcard + - name: data.strings + type: wildcard diff --git a/experimental/schemas/server.yml b/experimental/schemas/server.yml new file mode 100644 index 0000000000..70c285f374 --- /dev/null +++ b/experimental/schemas/server.yml @@ -0,0 +1,7 @@ +--- + - name: server + fields: + - name: domain + type: wildcard + - name: registered_domain + type: wildcard diff --git a/experimental/schemas/source.yml b/experimental/schemas/source.yml new file mode 100644 index 0000000000..d810a6cb79 --- /dev/null +++ b/experimental/schemas/source.yml @@ -0,0 +1,7 @@ +--- +- name: source + fields: + - name: domain + type: wildcard + - name: registered_domain + type: wildcard diff --git a/experimental/schemas/tls.yml b/experimental/schemas/tls.yml new file mode 100644 index 0000000000..4f5378a313 --- /dev/null +++ b/experimental/schemas/tls.yml @@ -0,0 +1,11 @@ +--- +- name: tls + fields: + - name: client.issuer + type: wildcard + - name: client.subject + type: wildcard + - name: server.issuer + type: wildcard + - name: server.subject + type: wildcard diff --git a/experimental/schemas/url.yml b/experimental/schemas/url.yml new file mode 100644 index 0000000000..0d5f66c36a --- /dev/null +++ b/experimental/schemas/url.yml @@ -0,0 +1,13 @@ +--- +- name: url + fields: + - name: original + type: wildcard + - name: full + type: wildcard + - name: path + type: wildcard + - name: domain + type: wildcard + - name: registered_domain + type: wildcard diff --git a/experimental/schemas/user.yml b/experimental/schemas/user.yml new file mode 100644 index 0000000000..89e182fbee --- /dev/null +++ b/experimental/schemas/user.yml @@ -0,0 +1,9 @@ +--- +- name: user + fields: + - name: name + type: wildcard + - name: full_name + type: wildcard + - name: email + type: wildcard diff --git a/experimental/schemas/user_agent.yml b/experimental/schemas/user_agent.yml new file mode 100644 index 0000000000..c413a9d702 --- /dev/null +++ b/experimental/schemas/user_agent.yml @@ -0,0 +1,5 @@ +--- +- name: user_agent + fields: + - name: original + type: wildcard diff --git a/experimental/schemas/x509.yml b/experimental/schemas/x509.yml new file mode 100644 index 0000000000..d1c7d8af6b --- /dev/null +++ b/experimental/schemas/x509.yml @@ -0,0 +1,7 @@ +--- +- name: x509 + fields: + - name: issuer.distinguished_name + type: wildcard + - name: subject.distinguished_name + type: wildcard diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 75b3f4a862..1c6cea3a9a 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -66,7 +66,8 @@ fields: - name: build.original level: core - type: wildcard + type: keyword + ignore_above: 1024 description: 'Extended build information for the agent. This field is intended to contain any build information that a data source @@ -135,7 +136,8 @@ example: 15169 - name: organization.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -181,7 +183,8 @@ example: 15169 - name: as.organization.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -197,7 +200,8 @@ example: 184 - name: domain level: core - type: wildcard + type: keyword + ignore_above: 1024 description: Client domain. - name: geo.city_name level: core @@ -230,7 +234,8 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. @@ -287,7 +292,8 @@ description: Port of the client. - name: registered_domain level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -331,11 +337,13 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: User email address. - name: user.full_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -376,7 +384,8 @@ description: Unique identifier of the user. - name: user.name level: core - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -607,7 +616,8 @@ example: 15169 - name: as.organization.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -623,7 +633,8 @@ example: 184 - name: domain level: core - type: wildcard + type: keyword + ignore_above: 1024 description: Destination domain. - name: geo.city_name level: core @@ -656,7 +667,8 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. @@ -712,7 +724,8 @@ description: Port of the destination. - name: registered_domain level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -756,11 +769,13 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: User email address. - name: user.full_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -801,7 +816,8 @@ description: Unique identifier of the user. - name: user.name level: core - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -962,7 +978,8 @@ default_field: false - name: pe.original_file_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -1005,7 +1022,8 @@ example: IN - name: answers.data level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.' @@ -1064,7 +1082,8 @@ example: IN - name: question.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'The name being queried. If the name field contains non-printable characters (below 32 or above 126), @@ -1183,16 +1202,19 @@ description: Error message. - name: stack_trace level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: The stack trace of this error in plain text. + index: false - name: type level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException - name: event @@ -1581,7 +1603,8 @@ example: sda - name: directory level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice @@ -1681,7 +1704,8 @@ example: alice - name: path level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -1731,7 +1755,8 @@ default_field: false - name: pe.original_file_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -1751,7 +1776,8 @@ example: 16384 - name: target_path level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -1795,7 +1821,8 @@ default_field: false - name: x509.issuer.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -1901,7 +1928,8 @@ default_field: false - name: x509.subject.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false @@ -1980,7 +2008,8 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. @@ -2124,7 +2153,8 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. @@ -2147,7 +2177,8 @@ example: Quebec - name: hostname level: core - type: wildcard + type: keyword + ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' @@ -2186,7 +2217,8 @@ example: debian - name: os.full level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -2202,7 +2234,8 @@ example: 4.4.0-112-generic - name: os.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -2260,11 +2293,13 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: User email address. - name: user.full_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -2305,7 +2340,8 @@ description: Unique identifier of the user. - name: user.name level: core - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -2335,7 +2371,8 @@ example: 887 - name: request.body.content level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -2388,7 +2425,8 @@ default_field: false - name: request.referrer level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Referrer for this HTTP request. example: https://blog.example.com/ - name: response.body.bytes @@ -2399,7 +2437,8 @@ example: 887 - name: response.body.content level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -2485,7 +2524,8 @@ fields: - name: file.path level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -2506,7 +2546,8 @@ example: error - name: logger level: core - type: wildcard + type: keyword + ignore_above: 1024 description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. example: org.elasticsearch.bootstrap.Bootstrap @@ -2852,7 +2893,8 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. @@ -2960,7 +3002,8 @@ example: debian - name: os.full level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -2976,7 +3019,8 @@ example: 4.4.0-112-generic - name: os.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3059,7 +3103,8 @@ description: Unique identifier for the organization. - name: name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3080,7 +3125,8 @@ example: debian - name: full level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3096,7 +3142,8 @@ example: 4.4.0-112-generic - name: name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3276,7 +3323,8 @@ default_field: false - name: original_file_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3360,7 +3408,8 @@ default_field: false - name: command_line level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3388,7 +3437,8 @@ default_field: false - name: executable level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3433,7 +3483,8 @@ default_field: false - name: name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3507,7 +3558,8 @@ default_field: false - name: parent.command_line level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3535,7 +3587,8 @@ default_field: false - name: parent.executable level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3584,7 +3637,8 @@ default_field: false - name: parent.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3635,7 +3689,8 @@ default_field: false - name: parent.pe.original_file_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3681,13 +3736,15 @@ default_field: false - name: parent.thread.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Thread name. example: thread-0 default_field: false - name: parent.title level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3705,7 +3762,8 @@ default_field: false - name: parent.working_directory level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3754,7 +3812,8 @@ default_field: false - name: pe.original_file_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3795,12 +3854,14 @@ example: 4242 - name: thread.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Thread name. example: thread-0 - name: title level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3817,7 +3878,8 @@ example: 1325 - name: working_directory level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3844,7 +3906,8 @@ default_field: false - name: data.strings level: core - type: wildcard + type: keyword + ignore_above: 1024 description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single @@ -3870,13 +3933,15 @@ default_field: false - name: key level: core - type: wildcard + type: keyword + ignore_above: 1024 description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - name: path level: core - type: wildcard + type: keyword + ignore_above: 1024 description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger @@ -4061,7 +4126,8 @@ example: 15169 - name: as.organization.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -4077,7 +4143,8 @@ example: 184 - name: domain level: core - type: wildcard + type: keyword + ignore_above: 1024 description: Server domain. - name: geo.city_name level: core @@ -4110,7 +4177,8 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. @@ -4167,7 +4235,8 @@ description: Port of the server. - name: registered_domain level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -4211,11 +4280,13 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: User email address. - name: user.full_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -4256,7 +4327,8 @@ description: Unique identifier of the user. - name: user.name level: core - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -4390,7 +4462,8 @@ example: 15169 - name: as.organization.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -4406,7 +4479,8 @@ example: 184 - name: domain level: core - type: wildcard + type: keyword + ignore_above: 1024 description: Source domain. - name: geo.city_name level: core @@ -4439,7 +4513,8 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. @@ -4496,7 +4571,8 @@ description: Port of the source. - name: registered_domain level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -4540,11 +4616,13 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: User email address. - name: user.full_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -4585,7 +4663,8 @@ description: Unique identifier of the user. - name: user.name level: core - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -4759,7 +4838,8 @@ default_field: false - name: client.issuer level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -4797,7 +4877,8 @@ default_field: false - name: client.subject level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com @@ -4835,7 +4916,8 @@ default_field: false - name: client.x509.issuer.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -4941,7 +5023,8 @@ default_field: false - name: client.x509.subject.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false @@ -5054,7 +5137,8 @@ default_field: false - name: server.issuer level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -5083,7 +5167,8 @@ default_field: false - name: server.subject level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com default_field: false @@ -5112,7 +5197,8 @@ default_field: false - name: server.x509.issuer.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -5218,7 +5304,8 @@ default_field: false - name: server.x509.subject.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false @@ -5307,7 +5394,8 @@ fields: - name: domain level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain @@ -5341,7 +5429,8 @@ The `#` is not part of the fragment.' - name: full level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5353,7 +5442,8 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top - name: original level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5373,7 +5463,8 @@ description: Password of the request. - name: path level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Path of the request, such as "/search". - name: port level: extended @@ -5394,7 +5485,8 @@ the two cases.' - name: registered_domain level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -5462,12 +5554,14 @@ default_field: false - name: changes.email level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: User email address. default_field: false - name: changes.full_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5513,7 +5607,8 @@ default_field: false - name: changes.name level: core - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5545,12 +5640,14 @@ default_field: false - name: effective.email level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: User email address. default_field: false - name: effective.full_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5596,7 +5693,8 @@ default_field: false - name: effective.name level: core - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5613,11 +5711,13 @@ default_field: false - name: email level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: User email address. - name: full_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5658,7 +5758,8 @@ description: Unique identifier of the user. - name: name level: core - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5683,12 +5784,14 @@ default_field: false - name: target.email level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: User email address. default_field: false - name: target.full_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5734,7 +5837,8 @@ default_field: false - name: target.name level: core - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5771,7 +5875,8 @@ example: Safari - name: original level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5787,7 +5892,8 @@ example: debian - name: os.full level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5803,7 +5909,8 @@ example: 4.4.0-112-generic - name: os.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -6050,7 +6157,8 @@ default_field: false - name: issuer.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -6156,7 +6264,8 @@ default_field: false - name: subject.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 68c90ecb74..a71bdc558e 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -3,7 +3,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. 1.9.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. 1.9.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -1.9.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +1.9.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. 1.9.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. 1.9.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. 1.9.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. @@ -11,16 +11,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. 1.9.0-dev,true,client,client.address,keyword,extended,,,Client network address. 1.9.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.9.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. 1.9.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. 1.9.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -1.9.0-dev,true,client,client.domain,wildcard,core,,,Client domain. +1.9.0-dev,true,client,client.domain,keyword,core,,,Client domain. 1.9.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. 1.9.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. 1.9.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. 1.9.0-dev,true,client,client.ip,ip,core,,,IP address of the client. @@ -29,19 +29,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port 1.9.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. 1.9.0-dev,true,client,client.port,long,core,,,Port of the client. -1.9.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +1.9.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." 1.9.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. 1.9.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.9.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,client,client.user.email,wildcard,extended,,,User email address. -1.9.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,client,client.user.email,keyword,extended,,,User email address. +1.9.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.9.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.9.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. 1.9.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.9.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user. 1.9.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. 1.9.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.9.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. @@ -63,16 +63,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. 1.9.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. 1.9.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.9.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. 1.9.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. 1.9.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -1.9.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain. +1.9.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain. 1.9.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. 1.9.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. 1.9.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. 1.9.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. @@ -81,19 +81,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port 1.9.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. 1.9.0-dev,true,destination,destination.port,long,core,,,Port of the destination. -1.9.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +1.9.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." 1.9.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. 1.9.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.9.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address. -1.9.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address. +1.9.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.9.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.9.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. 1.9.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.9.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user. 1.9.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. 1.9.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.9.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. @@ -113,11 +113,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 1.9.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 1.9.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.9.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 1.9.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.9.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. 1.9.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -1.9.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. +1.9.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. 1.9.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. 1.9.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. 1.9.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. @@ -125,7 +125,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. 1.9.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. 1.9.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -1.9.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. +1.9.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. 1.9.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." 1.9.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. 1.9.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." @@ -137,9 +137,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. 1.9.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. 1.9.0-dev,true,error,error.message,text,core,,,Error message. -1.9.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. -1.9.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. -1.9.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +1.9.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text. +1.9.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +1.9.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." 1.9.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. 1.9.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. 1.9.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. @@ -175,7 +175,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,file,file.created,date,extended,,,File creation time. 1.9.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. 1.9.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -1.9.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +1.9.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. 1.9.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. 1.9.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." 1.9.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. @@ -191,24 +191,24 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. 1.9.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." 1.9.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. -1.9.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.9.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." 1.9.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." 1.9.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. 1.9.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." 1.9.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 1.9.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 1.9.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.9.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 1.9.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.9.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. -1.9.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. +1.9.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks. 1.9.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. 1.9.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." 1.9.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. 1.9.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). 1.9.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. 1.9.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.9.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.9.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. 1.9.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) 1.9.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. 1.9.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. @@ -223,7 +223,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. 1.9.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. 1.9.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.9.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.9.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. 1.9.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) 1.9.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. 1.9.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. @@ -239,19 +239,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. 1.9.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -1.9.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host. +1.9.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host. 1.9.0-dev,true,host,host.id,keyword,core,,,Unique host id. 1.9.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. 1.9.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. 1.9.0-dev,true,host,host.name,keyword,core,,,Name of the host. 1.9.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.9.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.9.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.9.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.9.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.9.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." 1.9.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 1.9.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." 1.9.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." @@ -259,35 +259,35 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,host,host.type,keyword,core,,,Type of host. 1.9.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. 1.9.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,host,host.user.email,wildcard,extended,,,User email address. -1.9.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,host,host.user.email,keyword,extended,,,User email address. +1.9.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.9.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.9.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. 1.9.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.9.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user. 1.9.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. 1.9.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.9.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -1.9.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. +1.9.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body. 1.9.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. 1.9.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). 1.9.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. 1.9.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. 1.9.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -1.9.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. +1.9.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. 1.9.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -1.9.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. +1.9.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body. 1.9.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. 1.9.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). 1.9.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. 1.9.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. 1.9.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. -1.9.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +1.9.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. 1.9.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. -1.9.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +1.9.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. 1.9.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. 1.9.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. 1.9.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. @@ -326,7 +326,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. 1.9.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. 1.9.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. @@ -341,10 +341,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer 1.9.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. 1.9.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.9.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.9.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.9.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.9.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.9.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." 1.9.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 1.9.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." 1.9.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." @@ -355,7 +355,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. 1.9.0-dev,true,observer,observer.version,keyword,core,,,Observer version. 1.9.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -1.9.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name. +1.9.0-dev,true,organization,organization.name,keyword,extended,,,Organization name. 1.9.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. 1.9.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. 1.9.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information @@ -377,10 +377,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer 1.9.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.9.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.9.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.9.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.9.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. 1.9.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. 1.9.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. 1.9.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. @@ -388,7 +388,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. 1.9.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. 1.9.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. -1.9.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name. +1.9.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. 1.9.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. 1.9.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 1.9.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. @@ -397,10 +397,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer 1.9.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.9.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.9.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.9.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.9.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. 1.9.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. 1.9.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. 1.9.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. @@ -408,50 +408,50 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. 1.9.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. 1.9.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. -1.9.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name. +1.9.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name. 1.9.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. 1.9.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. 1.9.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." 1.9.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 1.9.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 1.9.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.9.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 1.9.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.9.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 1.9.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. 1.9.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. 1.9.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 1.9.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -1.9.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. -1.9.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title. +1.9.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. +1.9.0-dev,true,process,process.parent.title,keyword,extended,,,Process title. 1.9.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. 1.9.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -1.9.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +1.9.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. 1.9.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. 1.9.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. 1.9.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." 1.9.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." 1.9.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. 1.9.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.9.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 1.9.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.9.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 1.9.0-dev,true,process,process.pid,long,core,,4242,Process id. 1.9.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. 1.9.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 1.9.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. -1.9.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. -1.9.0-dev,true,process,process.title,wildcard,extended,,,Process title. +1.9.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. +1.9.0-dev,true,process,process.title,keyword,extended,,,Process title. 1.9.0-dev,true,process,process.title.text,text,extended,,,Process title. 1.9.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -1.9.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +1.9.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. 1.9.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. 1.9.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -1.9.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.9.0-dev,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. 1.9.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents 1.9.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -1.9.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -1.9.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.9.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.9.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" 1.9.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. 1.9.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. 1.9.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. @@ -469,16 +469,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version 1.9.0-dev,true,server,server.address,keyword,extended,,,Server network address. 1.9.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.9.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. 1.9.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. 1.9.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -1.9.0-dev,true,server,server.domain,wildcard,core,,,Server domain. +1.9.0-dev,true,server,server.domain,keyword,core,,,Server domain. 1.9.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. 1.9.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. 1.9.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. 1.9.0-dev,true,server,server.ip,ip,core,,,IP address of the server. @@ -487,19 +487,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port 1.9.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. 1.9.0-dev,true,server,server.port,long,core,,,Port of the server. -1.9.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +1.9.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." 1.9.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. 1.9.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.9.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,server,server.user.email,wildcard,extended,,,User email address. -1.9.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,server,server.user.email,keyword,extended,,,User email address. +1.9.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.9.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.9.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. 1.9.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.9.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user. 1.9.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. 1.9.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.9.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. @@ -511,16 +511,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. 1.9.0-dev,true,source,source.address,keyword,extended,,,Source network address. 1.9.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.9.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. 1.9.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. 1.9.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -1.9.0-dev,true,source,source.domain,wildcard,core,,,Source domain. +1.9.0-dev,true,source,source.domain,keyword,core,,,Source domain. 1.9.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. 1.9.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. 1.9.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. 1.9.0-dev,true,source,source.ip,ip,core,,,IP address of the source. @@ -529,19 +529,19 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port 1.9.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. 1.9.0-dev,true,source,source.port,long,core,,,Port of the source. -1.9.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +1.9.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." 1.9.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. 1.9.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.9.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,source,source.user.email,wildcard,extended,,,User email address. -1.9.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,source,source.user.email,keyword,extended,,,User email address. +1.9.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.9.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.9.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. 1.9.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.9.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user. 1.9.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. 1.9.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.9.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. @@ -563,17 +563,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. 1.9.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. 1.9.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -1.9.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +1.9.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. 1.9.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. 1.9.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. 1.9.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. 1.9.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -1.9.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +1.9.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. 1.9.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. 1.9.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). 1.9.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. 1.9.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.9.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.9.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. 1.9.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) 1.9.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. 1.9.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. @@ -588,7 +588,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. 1.9.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. 1.9.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.9.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.9.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. 1.9.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) 1.9.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. 1.9.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. @@ -603,15 +603,15 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. 1.9.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. 1.9.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -1.9.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +1.9.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. 1.9.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. 1.9.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. 1.9.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -1.9.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +1.9.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. 1.9.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). 1.9.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. 1.9.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.9.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.9.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. 1.9.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) 1.9.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. 1.9.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. @@ -626,7 +626,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. 1.9.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. 1.9.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.9.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.9.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. 1.9.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) 1.9.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. 1.9.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. @@ -636,79 +636,79 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. 1.9.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. 1.9.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -1.9.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. +1.9.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. 1.9.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." 1.9.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -1.9.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.9.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. 1.9.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.9.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.9.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. 1.9.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. 1.9.0-dev,true,url,url.password,keyword,extended,,,Password of the request. -1.9.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +1.9.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""." 1.9.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." 1.9.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. -1.9.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.9.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." 1.9.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. 1.9.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. 1.9.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.9.0-dev,true,url,url.username,keyword,extended,,,Username of the request. 1.9.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address. -1.9.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,user,user.changes.email,keyword,extended,,,User email address. +1.9.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.9.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.9.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. 1.9.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.9.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,user,user.changes.name,keyword,core,,albert,Short name or login of the user. 1.9.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. 1.9.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.9.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. 1.9.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address. -1.9.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,user,user.effective.email,keyword,extended,,,User email address. +1.9.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.9.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.9.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. 1.9.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.9.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,user,user.effective.name,keyword,core,,albert,Short name or login of the user. 1.9.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. 1.9.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev,true,user,user.email,wildcard,extended,,,User email address. -1.9.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,user,user.email,keyword,extended,,,User email address. +1.9.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.9.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.9.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. 1.9.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.9.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user. 1.9.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. 1.9.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.9.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,user,user.target.email,wildcard,extended,,,User email address. -1.9.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0-dev,true,user,user.target.email,keyword,extended,,,User email address. +1.9.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." 1.9.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.9.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.9.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. 1.9.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. 1.9.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. +1.9.0-dev,true,user,user.target.name,keyword,core,,albert,Short name or login of the user. 1.9.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. 1.9.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.9.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. 1.9.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -1.9.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.9.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. 1.9.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. 1.9.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.9.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.9.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.9.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.9.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.9.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." 1.9.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 1.9.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." 1.9.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index f30e8aced4..1af94d22d3 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -18,8 +18,6 @@ short: Date/time when the event originated. type: date agent.build.original: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -28,11 +26,12 @@ agent.build.original: example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] flat_name: agent.build.original + ignore_above: 1024 level: core name: build.original normalize: [] short: Extended build information for the agent. - type: wildcard + type: keyword agent.ephemeral_id: dashed_name: agent-ephemeral-id description: 'Ephemeral identifier of this agent (if one exists). @@ -130,12 +129,11 @@ client.as.number: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC flat_name: client.as.organization.name + ignore_above: 1024 level: extended multi_fields: - flat_name: client.as.organization.name.text @@ -146,7 +144,7 @@ client.as.organization.name: normalize: [] original_fieldset: as short: Organization name. - type: wildcard + type: keyword client.bytes: dashed_name: client-bytes description: Bytes sent from the client to the server. @@ -159,16 +157,15 @@ client.bytes: short: Bytes sent from the client to the server. type: long client.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain + ignore_above: 1024 level: core name: domain normalize: [] short: Client domain. - type: wildcard + type: keyword client.geo.city_name: dashed_name: client-geo-city-name description: City name. @@ -229,8 +226,6 @@ client.geo.location: short: Longitude and latitude. type: geo_point client.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -241,12 +236,13 @@ client.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: client.geo.name + ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: wildcard + type: keyword client.geo.region_iso_code: dashed_name: client-geo-region-iso-code description: Region ISO code. @@ -336,8 +332,6 @@ client.port: short: Port of the client. type: long client.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -348,11 +342,12 @@ client.registered_domain: two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: client.registered_domain + ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered client domain, stripped of the subdomain. - type: wildcard + type: keyword client.subdomain: dashed_name: client-subdomain description: 'The subdomain portion of a fully qualified domain name includes all @@ -402,24 +397,22 @@ client.user.domain: short: Name of the directory the user is a member of. type: keyword client.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword client.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: client.user.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: client.user.full_name.text @@ -430,7 +423,7 @@ client.user.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword client.user.group.domain: dashed_name: client-user-group-domain description: 'Name of the directory the group is a member of. @@ -493,12 +486,11 @@ client.user.id: short: Unique identifier of the user. type: keyword client.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert flat_name: client.user.name + ignore_above: 1024 level: core multi_fields: - flat_name: client.user.name.text @@ -509,7 +501,7 @@ client.user.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword client.user.roles: dashed_name: client-user-roles description: Array of user roles at the time of the event. @@ -748,12 +740,11 @@ destination.as.number: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC flat_name: destination.as.organization.name + ignore_above: 1024 level: extended multi_fields: - flat_name: destination.as.organization.name.text @@ -764,7 +755,7 @@ destination.as.organization.name: normalize: [] original_fieldset: as short: Organization name. - type: wildcard + type: keyword destination.bytes: dashed_name: destination-bytes description: Bytes sent from the destination to the source. @@ -777,16 +768,15 @@ destination.bytes: short: Bytes sent from the destination to the source. type: long destination.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain + ignore_above: 1024 level: core name: domain normalize: [] short: Destination domain. - type: wildcard + type: keyword destination.geo.city_name: dashed_name: destination-geo-city-name description: City name. @@ -847,8 +837,6 @@ destination.geo.location: short: Longitude and latitude. type: geo_point destination.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -859,12 +847,13 @@ destination.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: destination.geo.name + ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: wildcard + type: keyword destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. @@ -953,8 +942,6 @@ destination.port: short: Port of the destination. type: long destination.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -965,11 +952,12 @@ destination.registered_domain: two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: destination.registered_domain + ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered destination domain, stripped of the subdomain. - type: wildcard + type: keyword destination.subdomain: dashed_name: destination-subdomain description: 'The subdomain portion of a fully qualified domain name includes all @@ -1019,24 +1007,22 @@ destination.user.domain: short: Name of the directory the user is a member of. type: keyword destination.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword destination.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: destination.user.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: destination.user.full_name.text @@ -1047,7 +1033,7 @@ destination.user.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword destination.user.group.domain: dashed_name: destination-user-group-domain description: 'Name of the directory the group is a member of. @@ -1110,12 +1096,11 @@ destination.user.id: short: Unique identifier of the user. type: keyword destination.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert flat_name: destination.user.name + ignore_above: 1024 level: core multi_fields: - flat_name: destination.user.name.text @@ -1126,7 +1111,7 @@ destination.user.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword destination.user.roles: dashed_name: destination-user-roles description: Array of user roles at the time of the event. @@ -1352,18 +1337,17 @@ dll.pe.imphash: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: dll.pe.original_file_name + ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: wildcard + type: keyword dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -1407,19 +1391,18 @@ dns.answers.class: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.' example: 10.10.10.10 flat_name: dns.answers.data + ignore_above: 1024 level: extended name: answers.data normalize: [] short: The data describing the resource. - type: wildcard + type: keyword dns.answers.name: dashed_name: dns-answers-name description: 'The domain name to which this resource record pertains. @@ -1509,8 +1492,6 @@ dns.question.class: short: The class of records being queried. type: keyword dns.question.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -1520,11 +1501,12 @@ dns.question.name: converted to \t, \r, and \n respectively.' example: www.example.com flat_name: dns.question.name + ignore_above: 1024 level: extended name: question.name normalize: [] short: The name being queried. - type: wildcard + type: keyword dns.question.registered_domain: dashed_name: dns-question-registered-domain description: 'The highest registered domain, stripped of the subdomain. @@ -1677,11 +1659,12 @@ error.message: short: Error message. type: text error.stack_trace: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. + doc_values: false flat_name: error.stack_trace + ignore_above: 1024 + index: false level: extended multi_fields: - flat_name: error.stack_trace.text @@ -1691,19 +1674,18 @@ error.stack_trace: name: stack_trace normalize: [] short: The stack trace of this error in plain text. - type: wildcard + type: keyword error.type: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException flat_name: error.type + ignore_above: 1024 level: extended name: type normalize: [] short: The type of the error, for example the class name of the exception. - type: wildcard + type: keyword event.action: dashed_name: event-action description: 'The action captured by the event. @@ -2581,18 +2563,17 @@ file.device: short: Device that is the source of the file. type: keyword file.directory: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice flat_name: file.directory + ignore_above: 1024 level: extended name: directory normalize: [] short: Directory where the file is located. - type: wildcard + type: keyword file.drive_letter: dashed_name: file-drive-letter description: 'Drive letter where the file is located. This field is only relevant @@ -2765,13 +2746,12 @@ file.owner: short: File owner's username. type: keyword file.path: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png flat_name: file.path + ignore_above: 1024 level: extended multi_fields: - flat_name: file.path.text @@ -2781,7 +2761,7 @@ file.path: name: path normalize: [] short: Full path to the file, including the file name. - type: wildcard + type: keyword file.pe.architecture: dashed_name: file-pe-architecture description: CPU architecture target for the file. @@ -2847,18 +2827,17 @@ file.pe.imphash: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: file.pe.original_file_name + ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: wildcard + type: keyword file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -2884,11 +2863,10 @@ file.size: short: File size in bytes. type: long file.target_path: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path + ignore_above: 1024 level: extended multi_fields: - flat_name: file.target_path.text @@ -2898,7 +2876,7 @@ file.target_path: name: target_path normalize: [] short: Target path for symlinks. - type: wildcard + type: keyword file.type: dashed_name: file-type description: File type (file, dir, or symlink). @@ -2963,19 +2941,18 @@ file.x509.issuer.country: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: file.x509.issuer.distinguished_name + ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: wildcard + type: keyword file.x509.issuer.locality: dashed_name: file-x509-issuer-locality description: List of locality names (L) @@ -3154,18 +3131,17 @@ file.x509.subject.country: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: file.x509.subject.distinguished_name + ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: wildcard + type: keyword file.x509.subject.locality: dashed_name: file-x509-subject-locality description: List of locality names (L) @@ -3346,8 +3322,6 @@ host.geo.location: short: Longitude and latitude. type: geo_point host.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3358,12 +3332,13 @@ host.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: host.geo.name + ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: wildcard + type: keyword host.geo.region_iso_code: dashed_name: host-geo-region-iso-code description: Region ISO code. @@ -3389,18 +3364,17 @@ host.geo.region_name: short: Region name. type: keyword host.hostname: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' flat_name: host.hostname + ignore_above: 1024 level: core name: hostname normalize: [] short: Hostname of the host. - type: wildcard + type: keyword host.id: dashed_name: host-id description: 'Unique host id. @@ -3462,12 +3436,11 @@ host.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: host.os.full + ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.full.text @@ -3478,7 +3451,7 @@ host.os.full: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: wildcard + type: keyword host.os.kernel: dashed_name: host-os-kernel description: Operating system kernel version as a raw string. @@ -3492,12 +3465,11 @@ host.os.kernel: short: Operating system kernel version as a raw string. type: keyword host.os.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X flat_name: host.os.name + ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.name.text @@ -3508,7 +3480,7 @@ host.os.name: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: wildcard + type: keyword host.os.platform: dashed_name: host-os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -3589,24 +3561,22 @@ host.user.domain: short: Name of the directory the user is a member of. type: keyword host.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword host.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: host.user.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: host.user.full_name.text @@ -3617,7 +3587,7 @@ host.user.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword host.user.group.domain: dashed_name: host-user-group-domain description: 'Name of the directory the group is a member of. @@ -3680,12 +3650,11 @@ host.user.id: short: Unique identifier of the user. type: keyword host.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert flat_name: host.user.name + ignore_above: 1024 level: core multi_fields: - flat_name: host.user.name.text @@ -3696,7 +3665,7 @@ host.user.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword host.user.roles: dashed_name: host-user-roles description: Array of user roles at the time of the event. @@ -3722,12 +3691,11 @@ http.request.body.bytes: short: Size in bytes of the request body. type: long http.request.body.content: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world flat_name: http.request.body.content + ignore_above: 1024 level: extended multi_fields: - flat_name: http.request.body.content.text @@ -3737,7 +3705,7 @@ http.request.body.content: name: request.body.content normalize: [] short: The full HTTP request body. - type: wildcard + type: keyword http.request.bytes: dashed_name: http-request-bytes description: Total size in bytes of the request (body and headers). @@ -3798,17 +3766,16 @@ http.request.mime_type: short: Mime type of the body of the request. type: keyword http.request.referrer: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ flat_name: http.request.referrer + ignore_above: 1024 level: extended name: request.referrer normalize: [] short: Referrer for this HTTP request. - type: wildcard + type: keyword http.response.body.bytes: dashed_name: http-response-body-bytes description: Size in bytes of the response body. @@ -3821,12 +3788,11 @@ http.response.body.bytes: short: Size in bytes of the response body. type: long http.response.body.content: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world flat_name: http.response.body.content + ignore_above: 1024 level: extended multi_fields: - flat_name: http.response.body.content.text @@ -3836,7 +3802,7 @@ http.response.body.content: name: response.body.content normalize: [] short: The full HTTP response body. - type: wildcard + type: keyword http.response.bytes: dashed_name: http-response-bytes description: Total size in bytes of the response (body and headers). @@ -3902,8 +3868,6 @@ labels: short: Custom key/value pairs. type: object log.file.path: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -3911,11 +3875,12 @@ log.file.path: If the event wasn''t read from a log file, do not populate this field.' example: /var/log/fun-times.log flat_name: log.file.path + ignore_above: 1024 level: extended name: file.path normalize: [] short: Full path to the log file this event came from. - type: wildcard + type: keyword log.level: dashed_name: log-level description: 'Original log level of the log event. @@ -3934,18 +3899,17 @@ log.level: short: Log level of the log event. type: keyword log.logger: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. example: org.elasticsearch.bootstrap.Bootstrap flat_name: log.logger + ignore_above: 1024 level: core name: logger normalize: [] short: Name of the logger. - type: wildcard + type: keyword log.origin.file.line: dashed_name: log-origin-file-line description: The line number of the file containing the source code which originated @@ -4466,8 +4430,6 @@ observer.geo.location: short: Longitude and latitude. type: geo_point observer.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -4478,12 +4440,13 @@ observer.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: observer.geo.name + ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: wildcard + type: keyword observer.geo.region_iso_code: dashed_name: observer-geo-region-iso-code description: Region ISO code. @@ -4654,12 +4617,11 @@ observer.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: observer.os.full + ignore_above: 1024 level: extended multi_fields: - flat_name: observer.os.full.text @@ -4670,7 +4632,7 @@ observer.os.full: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: wildcard + type: keyword observer.os.kernel: dashed_name: observer-os-kernel description: Operating system kernel version as a raw string. @@ -4684,12 +4646,11 @@ observer.os.kernel: short: Operating system kernel version as a raw string. type: keyword observer.os.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X flat_name: observer.os.name + ignore_above: 1024 level: extended multi_fields: - flat_name: observer.os.name.text @@ -4700,7 +4661,7 @@ observer.os.name: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: wildcard + type: keyword observer.os.platform: dashed_name: observer-os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -4811,11 +4772,10 @@ organization.id: short: Unique identifier for the organization. type: keyword organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name + ignore_above: 1024 level: extended multi_fields: - flat_name: organization.name.text @@ -4825,7 +4785,7 @@ organization.name: name: name normalize: [] short: Organization name. - type: wildcard + type: keyword package.architecture: dashed_name: package-architecture description: Package architecture. @@ -5073,8 +5033,6 @@ process.code_signature.valid: content. type: boolean process.command_line: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -5082,6 +5040,7 @@ process.command_line: Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.command_line + ignore_above: 1024 level: extended multi_fields: - flat_name: process.command_line.text @@ -5091,7 +5050,7 @@ process.command_line: name: command_line normalize: [] short: Full command line that started the process. - type: wildcard + type: keyword process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. @@ -5112,12 +5071,11 @@ process.entity_id: short: Unique identifier for the process. type: keyword process.executable: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.executable + ignore_above: 1024 level: extended multi_fields: - flat_name: process.executable.text @@ -5127,7 +5085,7 @@ process.executable: name: executable normalize: [] short: Absolute path to the process executable. - type: wildcard + type: keyword process.exit_code: dashed_name: process-exit-code description: 'The exit code of the process, if this is a termination event. @@ -5197,14 +5155,13 @@ process.hash.ssdeep: short: SSDEEP hash. type: keyword process.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.name + ignore_above: 1024 level: extended multi_fields: - flat_name: process.name.text @@ -5214,7 +5171,7 @@ process.name: name: name normalize: [] short: Process name. - type: wildcard + type: keyword process.parent.args: dashed_name: process-parent-args description: 'Array of process arguments, starting with the absolute path to the @@ -5315,8 +5272,6 @@ process.parent.code_signature.valid: content. type: boolean process.parent.command_line: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -5324,6 +5279,7 @@ process.parent.command_line: Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.parent.command_line + ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.command_line.text @@ -5334,7 +5290,7 @@ process.parent.command_line: normalize: [] original_fieldset: process short: Full command line that started the process. - type: wildcard + type: keyword process.parent.entity_id: dashed_name: process-parent-entity-id description: 'Unique identifier for the process. @@ -5356,12 +5312,11 @@ process.parent.entity_id: short: Unique identifier for the process. type: keyword process.parent.executable: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.parent.executable + ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.executable.text @@ -5372,7 +5327,7 @@ process.parent.executable: normalize: [] original_fieldset: process short: Absolute path to the process executable. - type: wildcard + type: keyword process.parent.exit_code: dashed_name: process-parent-exit-code description: 'The exit code of the process, if this is a termination event. @@ -5443,14 +5398,13 @@ process.parent.hash.ssdeep: short: SSDEEP hash. type: keyword process.parent.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-parent-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.parent.name + ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.name.text @@ -5461,7 +5415,7 @@ process.parent.name: normalize: [] original_fieldset: process short: Process name. - type: wildcard + type: keyword process.parent.pe.architecture: dashed_name: process-parent-pe-architecture description: CPU architecture target for the file. @@ -5527,18 +5481,17 @@ process.parent.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.parent.pe.original_file_name + ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: wildcard + type: keyword process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -5610,27 +5563,25 @@ process.parent.thread.id: short: Thread ID. type: long process.parent.thread.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 flat_name: process.parent.thread.name + ignore_above: 1024 level: extended name: thread.name normalize: [] original_fieldset: process short: Thread name. - type: wildcard + type: keyword process.parent.title: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-parent-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' flat_name: process.parent.title + ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.title.text @@ -5641,7 +5592,7 @@ process.parent.title: normalize: [] original_fieldset: process short: Process title. - type: wildcard + type: keyword process.parent.uptime: dashed_name: process-parent-uptime description: Seconds the process has been up. @@ -5654,12 +5605,11 @@ process.parent.uptime: short: Seconds the process has been up. type: long process.parent.working_directory: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice flat_name: process.parent.working_directory + ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.working_directory.text @@ -5670,7 +5620,7 @@ process.parent.working_directory: normalize: [] original_fieldset: process short: The working directory of the process. - type: wildcard + type: keyword process.pe.architecture: dashed_name: process-pe-architecture description: CPU architecture target for the file. @@ -5736,18 +5686,17 @@ process.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.pe.original_file_name + ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: wildcard + type: keyword process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. @@ -5814,26 +5763,24 @@ process.thread.id: short: Thread ID. type: long process.thread.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 flat_name: process.thread.name + ignore_above: 1024 level: extended name: thread.name normalize: [] short: Thread name. - type: wildcard + type: keyword process.title: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' flat_name: process.title + ignore_above: 1024 level: extended multi_fields: - flat_name: process.title.text @@ -5843,7 +5790,7 @@ process.title: name: title normalize: [] short: Process title. - type: wildcard + type: keyword process.uptime: dashed_name: process-uptime description: Seconds the process has been up. @@ -5855,12 +5802,11 @@ process.uptime: short: Seconds the process has been up. type: long process.working_directory: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice flat_name: process.working_directory + ignore_above: 1024 level: extended multi_fields: - flat_name: process.working_directory.text @@ -5870,7 +5816,7 @@ process.working_directory: name: working_directory normalize: [] short: The working directory of the process. - type: wildcard + type: keyword registry.data.bytes: dashed_name: registry-data-bytes description: 'Original bytes written with base64 encoding. @@ -5887,8 +5833,6 @@ registry.data.bytes: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -5899,12 +5843,13 @@ registry.data.strings: the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' flat_name: registry.data.strings + ignore_above: 1024 level: core name: data.strings normalize: - array short: List of strings representing what was written to the registry. - type: wildcard + type: keyword registry.data.type: dashed_name: registry-data-type description: Standard registry type for encoding contents @@ -5928,30 +5873,28 @@ registry.hive: short: Abbreviated name for the hive. type: keyword registry.key: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe flat_name: registry.key + ignore_above: 1024 level: core name: key normalize: [] short: Hive-relative path of keys. - type: wildcard + type: keyword registry.path: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger flat_name: registry.path + ignore_above: 1024 level: core name: path normalize: [] short: Full path, including hive, key and value - type: wildcard + type: keyword registry.value: dashed_name: registry-value description: Name of the value written. @@ -6159,12 +6102,11 @@ server.as.number: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC flat_name: server.as.organization.name + ignore_above: 1024 level: extended multi_fields: - flat_name: server.as.organization.name.text @@ -6175,7 +6117,7 @@ server.as.organization.name: normalize: [] original_fieldset: as short: Organization name. - type: wildcard + type: keyword server.bytes: dashed_name: server-bytes description: Bytes sent from the server to the client. @@ -6188,16 +6130,15 @@ server.bytes: short: Bytes sent from the server to the client. type: long server.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain + ignore_above: 1024 level: core name: domain normalize: [] short: Server domain. - type: wildcard + type: keyword server.geo.city_name: dashed_name: server-geo-city-name description: City name. @@ -6258,8 +6199,6 @@ server.geo.location: short: Longitude and latitude. type: geo_point server.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -6270,12 +6209,13 @@ server.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: server.geo.name + ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: wildcard + type: keyword server.geo.region_iso_code: dashed_name: server-geo-region-iso-code description: Region ISO code. @@ -6365,8 +6305,6 @@ server.port: short: Port of the server. type: long server.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -6377,11 +6315,12 @@ server.registered_domain: two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: server.registered_domain + ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered server domain, stripped of the subdomain. - type: wildcard + type: keyword server.subdomain: dashed_name: server-subdomain description: 'The subdomain portion of a fully qualified domain name includes all @@ -6431,24 +6370,22 @@ server.user.domain: short: Name of the directory the user is a member of. type: keyword server.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword server.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: server.user.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: server.user.full_name.text @@ -6459,7 +6396,7 @@ server.user.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword server.user.group.domain: dashed_name: server-user-group-domain description: 'Name of the directory the group is a member of. @@ -6522,12 +6459,11 @@ server.user.id: short: Unique identifier of the user. type: keyword server.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert flat_name: server.user.name + ignore_above: 1024 level: core multi_fields: - flat_name: server.user.name.text @@ -6538,7 +6474,7 @@ server.user.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword server.user.roles: dashed_name: server-user-roles description: Array of user roles at the time of the event. @@ -6692,12 +6628,11 @@ source.as.number: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC flat_name: source.as.organization.name + ignore_above: 1024 level: extended multi_fields: - flat_name: source.as.organization.name.text @@ -6708,7 +6643,7 @@ source.as.organization.name: normalize: [] original_fieldset: as short: Organization name. - type: wildcard + type: keyword source.bytes: dashed_name: source-bytes description: Bytes sent from the source to the destination. @@ -6721,16 +6656,15 @@ source.bytes: short: Bytes sent from the source to the destination. type: long source.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain + ignore_above: 1024 level: core name: domain normalize: [] short: Source domain. - type: wildcard + type: keyword source.geo.city_name: dashed_name: source-geo-city-name description: City name. @@ -6791,8 +6725,6 @@ source.geo.location: short: Longitude and latitude. type: geo_point source.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -6803,12 +6735,13 @@ source.geo.name: Not typically used in automated geolocation.' example: boston-dc flat_name: source.geo.name + ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: wildcard + type: keyword source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. @@ -6898,8 +6831,6 @@ source.port: short: Port of the source. type: long source.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -6910,11 +6841,12 @@ source.registered_domain: two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: source.registered_domain + ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered source domain, stripped of the subdomain. - type: wildcard + type: keyword source.subdomain: dashed_name: source-subdomain description: 'The subdomain portion of a fully qualified domain name includes all @@ -6964,24 +6896,22 @@ source.user.domain: short: Name of the directory the user is a member of. type: keyword source.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword source.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: source.user.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: source.user.full_name.text @@ -6992,7 +6922,7 @@ source.user.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword source.user.group.domain: dashed_name: source-user-group-domain description: 'Name of the directory the group is a member of. @@ -7055,12 +6985,11 @@ source.user.id: short: Unique identifier of the user. type: keyword source.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert flat_name: source.user.name + ignore_above: 1024 level: core multi_fields: - flat_name: source.user.name.text @@ -7071,7 +7000,7 @@ source.user.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword source.user.roles: dashed_name: source-user-roles description: Array of user roles at the time of the event. @@ -7335,19 +7264,18 @@ tls.client.hash.sha256: certificate offered by the client. type: keyword tls.client.issuer: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.client.issuer + ignore_above: 1024 level: extended name: client.issuer normalize: [] short: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - type: wildcard + type: keyword tls.client.ja3: dashed_name: tls-client-ja3 description: A hash that identifies clients based on how they perform an SSL/TLS @@ -7395,18 +7323,17 @@ tls.client.server_name: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com flat_name: tls.client.subject + ignore_above: 1024 level: extended name: client.subject normalize: [] short: Distinguished name of subject of the x.509 certificate presented by the client. - type: wildcard + type: keyword tls.client.supported_ciphers: dashed_name: tls-client-supported-ciphers description: Array of ciphers offered by the client during the client hello. @@ -7462,19 +7389,18 @@ tls.client.x509.issuer.country: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: tls.client.x509.issuer.distinguished_name + ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: wildcard + type: keyword tls.client.x509.issuer.locality: dashed_name: tls-client-x509-issuer-locality description: List of locality names (L) @@ -7653,18 +7579,17 @@ tls.client.x509.subject.country: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: tls.client.x509.subject.distinguished_name + ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: wildcard + type: keyword tls.client.x509.subject.locality: dashed_name: tls-client-x509-subject-locality description: List of locality names (L) @@ -7845,17 +7770,16 @@ tls.server.hash.sha256: certificate offered by the server. type: keyword tls.server.issuer: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.server.issuer + ignore_above: 1024 level: extended name: server.issuer normalize: [] short: Subject of the issuer of the x.509 certificate presented by the server. - type: wildcard + type: keyword tls.server.ja3s: dashed_name: tls-server-ja3s description: A hash that identifies servers based on how they perform an SSL/TLS @@ -7890,17 +7814,16 @@ tls.server.not_before: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.server.subject + ignore_above: 1024 level: extended name: server.subject normalize: [] short: Subject of the x.509 certificate presented by the server. - type: wildcard + type: keyword tls.server.x509.alternative_names: dashed_name: tls-server-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate @@ -7943,19 +7866,18 @@ tls.server.x509.issuer.country: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: tls.server.x509.issuer.distinguished_name + ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: wildcard + type: keyword tls.server.x509.issuer.locality: dashed_name: tls-server-x509-issuer-locality description: List of locality names (L) @@ -8134,18 +8056,17 @@ tls.server.x509.subject.country: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: tls.server.x509.subject.distinguished_name + ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: wildcard + type: keyword tls.server.x509.subject.locality: dashed_name: tls-server-x509-subject-locality description: List of locality names (L) @@ -8260,8 +8181,6 @@ transaction.id: short: Unique identifier of the transaction within the scope of its trace. type: keyword url.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -8272,11 +8191,12 @@ url.domain: the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co flat_name: url.domain + ignore_above: 1024 level: extended name: domain normalize: [] short: Domain of the url. - type: wildcard + type: keyword url.extension: dashed_name: url-extension description: 'The field contains the file extension from the original request url, @@ -8310,13 +8230,12 @@ url.fragment: short: Portion of the url after the `#`. type: keyword url.full: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top flat_name: url.full + ignore_above: 1024 level: extended multi_fields: - flat_name: url.full.text @@ -8326,10 +8245,8 @@ url.full: name: full normalize: [] short: Full unparsed URL. - type: wildcard + type: keyword url.original: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -8339,6 +8256,7 @@ url.original: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch flat_name: url.original + ignore_above: 1024 level: extended multi_fields: - flat_name: url.original.text @@ -8348,7 +8266,7 @@ url.original: name: original normalize: [] short: Unmodified original url as seen in the event source. - type: wildcard + type: keyword url.password: dashed_name: url-password description: Password of the request. @@ -8360,16 +8278,15 @@ url.password: short: Password of the request. type: keyword url.path: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path + ignore_above: 1024 level: extended name: path normalize: [] short: Path of the request, such as "/search". - type: wildcard + type: keyword url.port: dashed_name: url-port description: Port of the request, such as 443. @@ -8398,8 +8315,6 @@ url.query: short: Query string of the request. type: keyword url.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -8410,11 +8325,12 @@ url.registered_domain: two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: url.registered_domain + ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered url domain, stripped of the subdomain. - type: wildcard + type: keyword url.scheme: dashed_name: url-scheme description: 'Scheme of the request, such as "https". @@ -8487,24 +8403,22 @@ user.changes.domain: short: Name of the directory the user is a member of. type: keyword user.changes.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-changes-email description: User email address. flat_name: user.changes.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword user.changes.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-changes-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.changes.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: user.changes.full_name.text @@ -8515,7 +8429,7 @@ user.changes.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword user.changes.group.domain: dashed_name: user-changes-group-domain description: 'Name of the directory the group is a member of. @@ -8578,12 +8492,11 @@ user.changes.id: short: Unique identifier of the user. type: keyword user.changes.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-changes-name description: Short name or login of the user. example: albert flat_name: user.changes.name + ignore_above: 1024 level: core multi_fields: - flat_name: user.changes.name.text @@ -8594,7 +8507,7 @@ user.changes.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword user.changes.roles: dashed_name: user-changes-roles description: Array of user roles at the time of the event. @@ -8634,24 +8547,22 @@ user.effective.domain: short: Name of the directory the user is a member of. type: keyword user.effective.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-effective-email description: User email address. flat_name: user.effective.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword user.effective.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-effective-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.effective.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: user.effective.full_name.text @@ -8662,7 +8573,7 @@ user.effective.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword user.effective.group.domain: dashed_name: user-effective-group-domain description: 'Name of the directory the group is a member of. @@ -8725,12 +8636,11 @@ user.effective.id: short: Unique identifier of the user. type: keyword user.effective.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-effective-name description: Short name or login of the user. example: albert flat_name: user.effective.name + ignore_above: 1024 level: core multi_fields: - flat_name: user.effective.name.text @@ -8741,7 +8651,7 @@ user.effective.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword user.effective.roles: dashed_name: user-effective-roles description: Array of user roles at the time of the event. @@ -8756,23 +8666,21 @@ user.effective.roles: short: Array of user roles at the time of the event. type: keyword user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email + ignore_above: 1024 level: extended name: email normalize: [] short: User email address. - type: wildcard + type: keyword user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: user.full_name.text @@ -8782,7 +8690,7 @@ user.full_name: name: full_name normalize: [] short: User's full name, if available. - type: wildcard + type: keyword user.group.domain: dashed_name: user-group-domain description: 'Name of the directory the group is a member of. @@ -8843,12 +8751,11 @@ user.id: short: Unique identifier of the user. type: keyword user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert flat_name: user.name + ignore_above: 1024 level: core multi_fields: - flat_name: user.name.text @@ -8858,7 +8765,7 @@ user.name: name: name normalize: [] short: Short name or login of the user. - type: wildcard + type: keyword user.roles: dashed_name: user-roles description: Array of user roles at the time of the event. @@ -8885,24 +8792,22 @@ user.target.domain: short: Name of the directory the user is a member of. type: keyword user.target.email: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-target-email description: User email address. flat_name: user.target.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword user.target.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-target-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.target.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: user.target.full_name.text @@ -8913,7 +8818,7 @@ user.target.full_name: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword user.target.group.domain: dashed_name: user-target-group-domain description: 'Name of the directory the group is a member of. @@ -8976,12 +8881,11 @@ user.target.id: short: Unique identifier of the user. type: keyword user.target.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-target-name description: Short name or login of the user. example: albert flat_name: user.target.name + ignore_above: 1024 level: core multi_fields: - flat_name: user.target.name.text @@ -8992,7 +8896,7 @@ user.target.name: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword user.target.roles: dashed_name: user-target-roles description: Array of user roles at the time of the event. @@ -9029,13 +8933,12 @@ user_agent.name: short: Name of the user agent. type: keyword user_agent.original: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 flat_name: user_agent.original + ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.original.text @@ -9045,7 +8948,7 @@ user_agent.original: name: original normalize: [] short: Unparsed user_agent string. - type: wildcard + type: keyword user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -9059,12 +8962,11 @@ user_agent.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: user_agent.os.full + ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.os.full.text @@ -9075,7 +8977,7 @@ user_agent.os.full: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: wildcard + type: keyword user_agent.os.kernel: dashed_name: user-agent-os-kernel description: Operating system kernel version as a raw string. @@ -9089,12 +8991,11 @@ user_agent.os.kernel: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: - beta: Note the usage of `wildcard` type is considered beta. This field used to be - type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X flat_name: user_agent.os.name + ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.os.name.text @@ -9105,7 +9006,7 @@ user_agent.os.name: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: wildcard + type: keyword user_agent.os.platform: dashed_name: user-agent-os-platform description: Operating system platform (such centos, ubuntu, windows). diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 8c15d879d4..a3934fd463 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -8,8 +8,6 @@ agent: event happened or the measurement was taken.' fields: agent.build.original: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -18,11 +16,12 @@ agent: example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] flat_name: agent.build.original + ignore_above: 1024 level: core name: build.original normalize: [] short: Extended build information for the agent. - type: wildcard + type: keyword agent.ephemeral_id: dashed_name: agent-ephemeral-id description: 'Ephemeral identifier of this agent (if one exists). @@ -120,12 +119,11 @@ as: short: Unique number allocated to the autonomous system. type: long as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: as-organization-name description: Organization name. example: Google LLC flat_name: as.organization.name + ignore_above: 1024 level: extended multi_fields: - flat_name: as.organization.name.text @@ -135,7 +133,7 @@ as: name: organization.name normalize: [] short: Organization name. - type: wildcard + type: keyword group: 2 name: as prefix: as. @@ -277,12 +275,11 @@ client: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC flat_name: client.as.organization.name + ignore_above: 1024 level: extended multi_fields: - flat_name: client.as.organization.name.text @@ -293,7 +290,7 @@ client: normalize: [] original_fieldset: as short: Organization name. - type: wildcard + type: keyword client.bytes: dashed_name: client-bytes description: Bytes sent from the client to the server. @@ -306,16 +303,15 @@ client: short: Bytes sent from the client to the server. type: long client.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain + ignore_above: 1024 level: core name: domain normalize: [] short: Client domain. - type: wildcard + type: keyword client.geo.city_name: dashed_name: client-geo-city-name description: City name. @@ -376,8 +372,6 @@ client: short: Longitude and latitude. type: geo_point client.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -388,12 +382,13 @@ client: Not typically used in automated geolocation.' example: boston-dc flat_name: client.geo.name + ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: wildcard + type: keyword client.geo.region_iso_code: dashed_name: client-geo-region-iso-code description: Region ISO code. @@ -483,8 +478,6 @@ client: short: Port of the client. type: long client.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -495,11 +488,12 @@ client: the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: client.registered_domain + ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered client domain, stripped of the subdomain. - type: wildcard + type: keyword client.subdomain: dashed_name: client-subdomain description: 'The subdomain portion of a fully qualified domain name includes @@ -549,24 +543,22 @@ client: short: Name of the directory the user is a member of. type: keyword client.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword client.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: client.user.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: client.user.full_name.text @@ -577,7 +569,7 @@ client: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword client.user.group.domain: dashed_name: client-user-group-domain description: 'Name of the directory the group is a member of. @@ -640,12 +632,11 @@ client: short: Unique identifier of the user. type: keyword client.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert flat_name: client.user.name + ignore_above: 1024 level: core multi_fields: - flat_name: client.user.name.text @@ -656,7 +647,7 @@ client: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword client.user.roles: dashed_name: client-user-roles description: Array of user roles at the time of the event. @@ -1037,12 +1028,11 @@ destination: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC flat_name: destination.as.organization.name + ignore_above: 1024 level: extended multi_fields: - flat_name: destination.as.organization.name.text @@ -1053,7 +1043,7 @@ destination: normalize: [] original_fieldset: as short: Organization name. - type: wildcard + type: keyword destination.bytes: dashed_name: destination-bytes description: Bytes sent from the destination to the source. @@ -1066,16 +1056,15 @@ destination: short: Bytes sent from the destination to the source. type: long destination.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain + ignore_above: 1024 level: core name: domain normalize: [] short: Destination domain. - type: wildcard + type: keyword destination.geo.city_name: dashed_name: destination-geo-city-name description: City name. @@ -1136,8 +1125,6 @@ destination: short: Longitude and latitude. type: geo_point destination.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -1148,12 +1135,13 @@ destination: Not typically used in automated geolocation.' example: boston-dc flat_name: destination.geo.name + ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: wildcard + type: keyword destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. @@ -1242,8 +1230,6 @@ destination: short: Port of the destination. type: long destination.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -1254,11 +1240,12 @@ destination: the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: destination.registered_domain + ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered destination domain, stripped of the subdomain. - type: wildcard + type: keyword destination.subdomain: dashed_name: destination-subdomain description: 'The subdomain portion of a fully qualified domain name includes @@ -1308,24 +1295,22 @@ destination: short: Name of the directory the user is a member of. type: keyword destination.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword destination.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: destination.user.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: destination.user.full_name.text @@ -1336,7 +1321,7 @@ destination: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword destination.user.group.domain: dashed_name: destination-user-group-domain description: 'Name of the directory the group is a member of. @@ -1399,12 +1384,11 @@ destination: short: Unique identifier of the user. type: keyword destination.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert flat_name: destination.user.name + ignore_above: 1024 level: core multi_fields: - flat_name: destination.user.name.text @@ -1415,7 +1399,7 @@ destination: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword destination.user.roles: dashed_name: destination-user-roles description: Array of user roles at the time of the event. @@ -1675,18 +1659,17 @@ dll: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: dll.pe.original_file_name + ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: wildcard + type: keyword dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -1758,19 +1741,18 @@ dns: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.' example: 10.10.10.10 flat_name: dns.answers.data + ignore_above: 1024 level: extended name: answers.data normalize: [] short: The data describing the resource. - type: wildcard + type: keyword dns.answers.name: dashed_name: dns-answers-name description: 'The domain name to which this resource record pertains. @@ -1862,8 +1844,6 @@ dns: short: The class of records being queried. type: keyword dns.question.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -1873,11 +1853,12 @@ dns: feeds should be converted to \t, \r, and \n respectively.' example: www.example.com flat_name: dns.question.name + ignore_above: 1024 level: extended name: question.name normalize: [] short: The name being queried. - type: wildcard + type: keyword dns.question.registered_domain: dashed_name: dns-question-registered-domain description: 'The highest registered domain, stripped of the subdomain. @@ -2051,11 +2032,12 @@ error: short: Error message. type: text error.stack_trace: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. + doc_values: false flat_name: error.stack_trace + ignore_above: 1024 + index: false level: extended multi_fields: - flat_name: error.stack_trace.text @@ -2065,19 +2047,18 @@ error: name: stack_trace normalize: [] short: The stack trace of this error in plain text. - type: wildcard + type: keyword error.type: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException flat_name: error.type + ignore_above: 1024 level: extended name: type normalize: [] short: The type of the error, for example the class name of the exception. - type: wildcard + type: keyword group: 2 name: error prefix: error. @@ -3006,18 +2987,17 @@ file: short: Device that is the source of the file. type: keyword file.directory: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice flat_name: file.directory + ignore_above: 1024 level: extended name: directory normalize: [] short: Directory where the file is located. - type: wildcard + type: keyword file.drive_letter: dashed_name: file-drive-letter description: 'Drive letter where the file is located. This field is only relevant @@ -3190,13 +3170,12 @@ file: short: File owner's username. type: keyword file.path: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png flat_name: file.path + ignore_above: 1024 level: extended multi_fields: - flat_name: file.path.text @@ -3206,7 +3185,7 @@ file: name: path normalize: [] short: Full path to the file, including the file name. - type: wildcard + type: keyword file.pe.architecture: dashed_name: file-pe-architecture description: CPU architecture target for the file. @@ -3272,18 +3251,17 @@ file: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: file.pe.original_file_name + ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: wildcard + type: keyword file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -3309,11 +3287,10 @@ file: short: File size in bytes. type: long file.target_path: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path + ignore_above: 1024 level: extended multi_fields: - flat_name: file.target_path.text @@ -3323,7 +3300,7 @@ file: name: target_path normalize: [] short: Target path for symlinks. - type: wildcard + type: keyword file.type: dashed_name: file-type description: File type (file, dir, or symlink). @@ -3388,19 +3365,18 @@ file: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: file.x509.issuer.distinguished_name + ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: wildcard + type: keyword file.x509.issuer.locality: dashed_name: file-x509-issuer-locality description: List of locality names (L) @@ -3579,18 +3555,17 @@ file: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: file.x509.subject.distinguished_name + ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: wildcard + type: keyword file.x509.subject.locality: dashed_name: file-x509-subject-locality description: List of locality names (L) @@ -3740,8 +3715,6 @@ geo: short: Longitude and latitude. type: geo_point geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3752,11 +3725,12 @@ geo: Not typically used in automated geolocation.' example: boston-dc flat_name: geo.name + ignore_above: 1024 level: extended name: name normalize: [] short: User-defined description of a location. - type: wildcard + type: keyword geo.region_iso_code: dashed_name: geo-region-iso-code description: Region ISO code. @@ -4027,8 +4001,6 @@ host: short: Longitude and latitude. type: geo_point host.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -4039,12 +4011,13 @@ host: Not typically used in automated geolocation.' example: boston-dc flat_name: host.geo.name + ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: wildcard + type: keyword host.geo.region_iso_code: dashed_name: host-geo-region-iso-code description: Region ISO code. @@ -4070,18 +4043,17 @@ host: short: Region name. type: keyword host.hostname: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' flat_name: host.hostname + ignore_above: 1024 level: core name: hostname normalize: [] short: Hostname of the host. - type: wildcard + type: keyword host.id: dashed_name: host-id description: 'Unique host id. @@ -4144,12 +4116,11 @@ host: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: host.os.full + ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.full.text @@ -4160,7 +4131,7 @@ host: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: wildcard + type: keyword host.os.kernel: dashed_name: host-os-kernel description: Operating system kernel version as a raw string. @@ -4174,12 +4145,11 @@ host: short: Operating system kernel version as a raw string. type: keyword host.os.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X flat_name: host.os.name + ignore_above: 1024 level: extended multi_fields: - flat_name: host.os.name.text @@ -4190,7 +4160,7 @@ host: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: wildcard + type: keyword host.os.platform: dashed_name: host-os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -4273,24 +4243,22 @@ host: short: Name of the directory the user is a member of. type: keyword host.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword host.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: host.user.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: host.user.full_name.text @@ -4301,7 +4269,7 @@ host: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword host.user.group.domain: dashed_name: host-user-group-domain description: 'Name of the directory the group is a member of. @@ -4364,12 +4332,11 @@ host: short: Unique identifier of the user. type: keyword host.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert flat_name: host.user.name + ignore_above: 1024 level: core multi_fields: - flat_name: host.user.name.text @@ -4380,7 +4347,7 @@ host: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword host.user.roles: dashed_name: host-user-roles description: Array of user roles at the time of the event. @@ -4430,12 +4397,11 @@ http: short: Size in bytes of the request body. type: long http.request.body.content: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world flat_name: http.request.body.content + ignore_above: 1024 level: extended multi_fields: - flat_name: http.request.body.content.text @@ -4445,7 +4411,7 @@ http: name: request.body.content normalize: [] short: The full HTTP request body. - type: wildcard + type: keyword http.request.bytes: dashed_name: http-request-bytes description: Total size in bytes of the request (body and headers). @@ -4508,17 +4474,16 @@ http: short: Mime type of the body of the request. type: keyword http.request.referrer: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ flat_name: http.request.referrer + ignore_above: 1024 level: extended name: request.referrer normalize: [] short: Referrer for this HTTP request. - type: wildcard + type: keyword http.response.body.bytes: dashed_name: http-response-body-bytes description: Size in bytes of the response body. @@ -4531,12 +4496,11 @@ http: short: Size in bytes of the response body. type: long http.response.body.content: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world flat_name: http.response.body.content + ignore_above: 1024 level: extended multi_fields: - flat_name: http.response.body.content.text @@ -4546,7 +4510,7 @@ http: name: response.body.content normalize: [] short: The full HTTP response body. - type: wildcard + type: keyword http.response.bytes: dashed_name: http-response-bytes description: Total size in bytes of the response (body and headers). @@ -4670,8 +4634,6 @@ log: but rather in `event.*` or in other ECS fields.' fields: log.file.path: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -4679,11 +4641,12 @@ log: If the event wasn''t read from a log file, do not populate this field.' example: /var/log/fun-times.log flat_name: log.file.path + ignore_above: 1024 level: extended name: file.path normalize: [] short: Full path to the log file this event came from. - type: wildcard + type: keyword log.level: dashed_name: log-level description: 'Original log level of the log event. @@ -4702,18 +4665,17 @@ log: short: Log level of the log event. type: keyword log.logger: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. example: org.elasticsearch.bootstrap.Bootstrap flat_name: log.logger + ignore_above: 1024 level: core name: logger normalize: [] short: Name of the logger. - type: wildcard + type: keyword log.origin.file.line: dashed_name: log-origin-file-line description: The line number of the file containing the source code which originated @@ -5265,8 +5227,6 @@ observer: short: Longitude and latitude. type: geo_point observer.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -5277,12 +5237,13 @@ observer: Not typically used in automated geolocation.' example: boston-dc flat_name: observer.geo.name + ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: wildcard + type: keyword observer.geo.region_iso_code: dashed_name: observer-geo-region-iso-code description: Region ISO code. @@ -5454,12 +5415,11 @@ observer: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: observer.os.full + ignore_above: 1024 level: extended multi_fields: - flat_name: observer.os.full.text @@ -5470,7 +5430,7 @@ observer: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: wildcard + type: keyword observer.os.kernel: dashed_name: observer-os-kernel description: Operating system kernel version as a raw string. @@ -5484,12 +5444,11 @@ observer: short: Operating system kernel version as a raw string. type: keyword observer.os.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X flat_name: observer.os.name + ignore_above: 1024 level: extended multi_fields: - flat_name: observer.os.name.text @@ -5500,7 +5459,7 @@ observer: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: wildcard + type: keyword observer.os.platform: dashed_name: observer-os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -5651,11 +5610,10 @@ organization: short: Unique identifier for the organization. type: keyword organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name + ignore_above: 1024 level: extended multi_fields: - flat_name: organization.name.text @@ -5665,7 +5623,7 @@ organization: name: name normalize: [] short: Organization name. - type: wildcard + type: keyword group: 2 name: organization prefix: organization. @@ -5687,12 +5645,11 @@ os: short: OS family (such as redhat, debian, freebsd, windows). type: keyword os.full: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: os.full + ignore_above: 1024 level: extended multi_fields: - flat_name: os.full.text @@ -5702,7 +5659,7 @@ os: name: full normalize: [] short: Operating system name, including the version or code name. - type: wildcard + type: keyword os.kernel: dashed_name: os-kernel description: Operating system kernel version as a raw string. @@ -5715,12 +5672,11 @@ os: short: Operating system kernel version as a raw string. type: keyword os.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: os-name description: Operating system name, without the version. example: Mac OS X flat_name: os.name + ignore_above: 1024 level: extended multi_fields: - flat_name: os.name.text @@ -5730,7 +5686,7 @@ os: name: name normalize: [] short: Operating system name, without the version. - type: wildcard + type: keyword os.platform: dashed_name: os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -6016,17 +5972,16 @@ pe: short: A hash of the imports in a PE file. type: keyword pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: pe.original_file_name + ignore_above: 1024 level: extended name: original_file_name normalize: [] short: Internal name of the file, provided at compile-time. - type: wildcard + type: keyword pe.product: dashed_name: pe-product description: Internal product name of the file, provided at compile-time. @@ -6161,8 +6116,6 @@ process: content. type: boolean process.command_line: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6170,6 +6123,7 @@ process: Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.command_line + ignore_above: 1024 level: extended multi_fields: - flat_name: process.command_line.text @@ -6179,7 +6133,7 @@ process: name: command_line normalize: [] short: Full command line that started the process. - type: wildcard + type: keyword process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. @@ -6200,12 +6154,11 @@ process: short: Unique identifier for the process. type: keyword process.executable: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.executable + ignore_above: 1024 level: extended multi_fields: - flat_name: process.executable.text @@ -6215,7 +6168,7 @@ process: name: executable normalize: [] short: Absolute path to the process executable. - type: wildcard + type: keyword process.exit_code: dashed_name: process-exit-code description: 'The exit code of the process, if this is a termination event. @@ -6285,14 +6238,13 @@ process: short: SSDEEP hash. type: keyword process.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.name + ignore_above: 1024 level: extended multi_fields: - flat_name: process.name.text @@ -6302,7 +6254,7 @@ process: name: name normalize: [] short: Process name. - type: wildcard + type: keyword process.parent.args: dashed_name: process-parent-args description: 'Array of process arguments, starting with the absolute path to @@ -6403,8 +6355,6 @@ process: content. type: boolean process.parent.command_line: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6412,6 +6362,7 @@ process: Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 flat_name: process.parent.command_line + ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.command_line.text @@ -6422,7 +6373,7 @@ process: normalize: [] original_fieldset: process short: Full command line that started the process. - type: wildcard + type: keyword process.parent.entity_id: dashed_name: process-parent-entity-id description: 'Unique identifier for the process. @@ -6444,12 +6395,11 @@ process: short: Unique identifier for the process. type: keyword process.parent.executable: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh flat_name: process.parent.executable + ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.executable.text @@ -6460,7 +6410,7 @@ process: normalize: [] original_fieldset: process short: Absolute path to the process executable. - type: wildcard + type: keyword process.parent.exit_code: dashed_name: process-parent-exit-code description: 'The exit code of the process, if this is a termination event. @@ -6531,14 +6481,13 @@ process: short: SSDEEP hash. type: keyword process.parent.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-parent-name description: 'Process name. Sometimes called program name or similar.' example: ssh flat_name: process.parent.name + ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.name.text @@ -6549,7 +6498,7 @@ process: normalize: [] original_fieldset: process short: Process name. - type: wildcard + type: keyword process.parent.pe.architecture: dashed_name: process-parent-pe-architecture description: CPU architecture target for the file. @@ -6615,18 +6564,17 @@ process: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.parent.pe.original_file_name + ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: wildcard + type: keyword process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -6698,27 +6646,25 @@ process: short: Thread ID. type: long process.parent.thread.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 flat_name: process.parent.thread.name + ignore_above: 1024 level: extended name: thread.name normalize: [] original_fieldset: process short: Thread name. - type: wildcard + type: keyword process.parent.title: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-parent-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' flat_name: process.parent.title + ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.title.text @@ -6729,7 +6675,7 @@ process: normalize: [] original_fieldset: process short: Process title. - type: wildcard + type: keyword process.parent.uptime: dashed_name: process-parent-uptime description: Seconds the process has been up. @@ -6742,12 +6688,11 @@ process: short: Seconds the process has been up. type: long process.parent.working_directory: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice flat_name: process.parent.working_directory + ignore_above: 1024 level: extended multi_fields: - flat_name: process.parent.working_directory.text @@ -6758,7 +6703,7 @@ process: normalize: [] original_fieldset: process short: The working directory of the process. - type: wildcard + type: keyword process.pe.architecture: dashed_name: process-pe-architecture description: CPU architecture target for the file. @@ -6824,18 +6769,17 @@ process: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE flat_name: process.pe.original_file_name + ignore_above: 1024 level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. - type: wildcard + type: keyword process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. @@ -6902,26 +6846,24 @@ process: short: Thread ID. type: long process.thread.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 flat_name: process.thread.name + ignore_above: 1024 level: extended name: thread.name normalize: [] short: Thread name. - type: wildcard + type: keyword process.title: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-title description: 'Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.' flat_name: process.title + ignore_above: 1024 level: extended multi_fields: - flat_name: process.title.text @@ -6931,7 +6873,7 @@ process: name: title normalize: [] short: Process title. - type: wildcard + type: keyword process.uptime: dashed_name: process-uptime description: Seconds the process has been up. @@ -6943,12 +6885,11 @@ process: short: Seconds the process has been up. type: long process.working_directory: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice flat_name: process.working_directory + ignore_above: 1024 level: extended multi_fields: - flat_name: process.working_directory.text @@ -6958,7 +6899,7 @@ process: name: working_directory normalize: [] short: The working directory of the process. - type: wildcard + type: keyword group: 2 name: process nestings: @@ -7008,8 +6949,6 @@ registry: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -7020,12 +6959,13 @@ registry: be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' flat_name: registry.data.strings + ignore_above: 1024 level: core name: data.strings normalize: - array short: List of strings representing what was written to the registry. - type: wildcard + type: keyword registry.data.type: dashed_name: registry-data-type description: Standard registry type for encoding contents @@ -7049,30 +6989,28 @@ registry: short: Abbreviated name for the hive. type: keyword registry.key: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe flat_name: registry.key + ignore_above: 1024 level: core name: key normalize: [] short: Hive-relative path of keys. - type: wildcard + type: keyword registry.path: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger flat_name: registry.path + ignore_above: 1024 level: core name: path normalize: [] short: Full path, including hive, key and value - type: wildcard + type: keyword registry.value: dashed_name: registry-value description: Name of the value written. @@ -7337,12 +7275,11 @@ server: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC flat_name: server.as.organization.name + ignore_above: 1024 level: extended multi_fields: - flat_name: server.as.organization.name.text @@ -7353,7 +7290,7 @@ server: normalize: [] original_fieldset: as short: Organization name. - type: wildcard + type: keyword server.bytes: dashed_name: server-bytes description: Bytes sent from the server to the client. @@ -7366,16 +7303,15 @@ server: short: Bytes sent from the server to the client. type: long server.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain + ignore_above: 1024 level: core name: domain normalize: [] short: Server domain. - type: wildcard + type: keyword server.geo.city_name: dashed_name: server-geo-city-name description: City name. @@ -7436,8 +7372,6 @@ server: short: Longitude and latitude. type: geo_point server.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -7448,12 +7382,13 @@ server: Not typically used in automated geolocation.' example: boston-dc flat_name: server.geo.name + ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: wildcard + type: keyword server.geo.region_iso_code: dashed_name: server-geo-region-iso-code description: Region ISO code. @@ -7543,8 +7478,6 @@ server: short: Port of the server. type: long server.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -7555,11 +7488,12 @@ server: the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: server.registered_domain + ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered server domain, stripped of the subdomain. - type: wildcard + type: keyword server.subdomain: dashed_name: server-subdomain description: 'The subdomain portion of a fully qualified domain name includes @@ -7609,24 +7543,22 @@ server: short: Name of the directory the user is a member of. type: keyword server.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword server.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: server.user.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: server.user.full_name.text @@ -7637,7 +7569,7 @@ server: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword server.user.group.domain: dashed_name: server-user-group-domain description: 'Name of the directory the group is a member of. @@ -7700,12 +7632,11 @@ server: short: Unique identifier of the user. type: keyword server.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert flat_name: server.user.name + ignore_above: 1024 level: core multi_fields: - flat_name: server.user.name.text @@ -7716,7 +7647,7 @@ server: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword server.user.roles: dashed_name: server-user-roles description: Array of user roles at the time of the event. @@ -7914,12 +7845,11 @@ source: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC flat_name: source.as.organization.name + ignore_above: 1024 level: extended multi_fields: - flat_name: source.as.organization.name.text @@ -7930,7 +7860,7 @@ source: normalize: [] original_fieldset: as short: Organization name. - type: wildcard + type: keyword source.bytes: dashed_name: source-bytes description: Bytes sent from the source to the destination. @@ -7943,16 +7873,15 @@ source: short: Bytes sent from the source to the destination. type: long source.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain + ignore_above: 1024 level: core name: domain normalize: [] short: Source domain. - type: wildcard + type: keyword source.geo.city_name: dashed_name: source-geo-city-name description: City name. @@ -8013,8 +7942,6 @@ source: short: Longitude and latitude. type: geo_point source.geo.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -8025,12 +7952,13 @@ source: Not typically used in automated geolocation.' example: boston-dc flat_name: source.geo.name + ignore_above: 1024 level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. - type: wildcard + type: keyword source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. @@ -8120,8 +8048,6 @@ source: short: Port of the source. type: long source.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -8132,11 +8058,12 @@ source: the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: source.registered_domain + ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered source domain, stripped of the subdomain. - type: wildcard + type: keyword source.subdomain: dashed_name: source-subdomain description: 'The subdomain portion of a fully qualified domain name includes @@ -8186,24 +8113,22 @@ source: short: Name of the directory the user is a member of. type: keyword source.user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword source.user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein flat_name: source.user.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: source.user.full_name.text @@ -8214,7 +8139,7 @@ source: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword source.user.group.domain: dashed_name: source-user-group-domain description: 'Name of the directory the group is a member of. @@ -8277,12 +8202,11 @@ source: short: Unique identifier of the user. type: keyword source.user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert flat_name: source.user.name + ignore_above: 1024 level: core multi_fields: - flat_name: source.user.name.text @@ -8293,7 +8217,7 @@ source: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword source.user.roles: dashed_name: source-user-roles description: Array of user roles at the time of the event. @@ -8571,19 +8495,18 @@ tls: of certificate offered by the client. type: keyword tls.client.issuer: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.client.issuer + ignore_above: 1024 level: extended name: client.issuer normalize: [] short: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - type: wildcard + type: keyword tls.client.ja3: dashed_name: tls-client-ja3 description: A hash that identifies clients based on how they perform an SSL/TLS @@ -8633,19 +8556,18 @@ tls: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com flat_name: tls.client.subject + ignore_above: 1024 level: extended name: client.subject normalize: [] short: Distinguished name of subject of the x.509 certificate presented by the client. - type: wildcard + type: keyword tls.client.supported_ciphers: dashed_name: tls-client-supported-ciphers description: Array of ciphers offered by the client during the client hello. @@ -8701,19 +8623,18 @@ tls: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: tls.client.x509.issuer.distinguished_name + ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: wildcard + type: keyword tls.client.x509.issuer.locality: dashed_name: tls-client-x509-issuer-locality description: List of locality names (L) @@ -8892,18 +8813,17 @@ tls: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: tls.client.x509.subject.distinguished_name + ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: wildcard + type: keyword tls.client.x509.subject.locality: dashed_name: tls-client-x509-subject-locality description: List of locality names (L) @@ -9084,18 +9004,17 @@ tls: of certificate offered by the server. type: keyword tls.server.issuer: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.server.issuer + ignore_above: 1024 level: extended name: server.issuer normalize: [] short: Subject of the issuer of the x.509 certificate presented by the server. - type: wildcard + type: keyword tls.server.ja3s: dashed_name: tls-server-ja3s description: A hash that identifies servers based on how they perform an SSL/TLS @@ -9132,17 +9051,16 @@ tls: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com flat_name: tls.server.subject + ignore_above: 1024 level: extended name: server.subject normalize: [] short: Subject of the x.509 certificate presented by the server. - type: wildcard + type: keyword tls.server.x509.alternative_names: dashed_name: tls-server-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate @@ -9185,19 +9103,18 @@ tls: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: tls.server.x509.issuer.distinguished_name + ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. - type: wildcard + type: keyword tls.server.x509.issuer.locality: dashed_name: tls-server-x509-issuer-locality description: List of locality names (L) @@ -9376,18 +9293,17 @@ tls: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: tls.server.x509.subject.distinguished_name + ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. - type: wildcard + type: keyword tls.server.x509.subject.locality: dashed_name: tls-server-x509-subject-locality description: List of locality names (L) @@ -9553,8 +9469,6 @@ url: the breaking down into scheme, domain, path, and so on. fields: url.domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -9566,11 +9480,12 @@ url: field.' example: www.elastic.co flat_name: url.domain + ignore_above: 1024 level: extended name: domain normalize: [] short: Domain of the url. - type: wildcard + type: keyword url.extension: dashed_name: url-extension description: 'The field contains the file extension from the original request @@ -9604,14 +9519,13 @@ url: short: Portion of the url after the `#`. type: keyword url.full: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top flat_name: url.full + ignore_above: 1024 level: extended multi_fields: - flat_name: url.full.text @@ -9621,10 +9535,8 @@ url: name: full normalize: [] short: Full unparsed URL. - type: wildcard + type: keyword url.original: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -9634,6 +9546,7 @@ url: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch flat_name: url.original + ignore_above: 1024 level: extended multi_fields: - flat_name: url.original.text @@ -9643,7 +9556,7 @@ url: name: original normalize: [] short: Unmodified original url as seen in the event source. - type: wildcard + type: keyword url.password: dashed_name: url-password description: Password of the request. @@ -9655,16 +9568,15 @@ url: short: Password of the request. type: keyword url.path: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path + ignore_above: 1024 level: extended name: path normalize: [] short: Path of the request, such as "/search". - type: wildcard + type: keyword url.port: dashed_name: url-port description: Port of the request, such as 443. @@ -9693,8 +9605,6 @@ url: short: Query string of the request. type: keyword url.registered_domain: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -9705,11 +9615,12 @@ url: the last two labels will not work well for TLDs such as "co.uk".' example: example.com flat_name: url.registered_domain + ignore_above: 1024 level: extended name: registered_domain normalize: [] short: The highest registered url domain, stripped of the subdomain. - type: wildcard + type: keyword url.scheme: dashed_name: url-scheme description: 'Scheme of the request, such as "https". @@ -9795,24 +9706,22 @@ user: short: Name of the directory the user is a member of. type: keyword user.changes.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-changes-email description: User email address. flat_name: user.changes.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword user.changes.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-changes-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.changes.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: user.changes.full_name.text @@ -9823,7 +9732,7 @@ user: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword user.changes.group.domain: dashed_name: user-changes-group-domain description: 'Name of the directory the group is a member of. @@ -9886,12 +9795,11 @@ user: short: Unique identifier of the user. type: keyword user.changes.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-changes-name description: Short name or login of the user. example: albert flat_name: user.changes.name + ignore_above: 1024 level: core multi_fields: - flat_name: user.changes.name.text @@ -9902,7 +9810,7 @@ user: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword user.changes.roles: dashed_name: user-changes-roles description: Array of user roles at the time of the event. @@ -9942,24 +9850,22 @@ user: short: Name of the directory the user is a member of. type: keyword user.effective.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-effective-email description: User email address. flat_name: user.effective.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword user.effective.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-effective-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.effective.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: user.effective.full_name.text @@ -9970,7 +9876,7 @@ user: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword user.effective.group.domain: dashed_name: user-effective-group-domain description: 'Name of the directory the group is a member of. @@ -10033,12 +9939,11 @@ user: short: Unique identifier of the user. type: keyword user.effective.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-effective-name description: Short name or login of the user. example: albert flat_name: user.effective.name + ignore_above: 1024 level: core multi_fields: - flat_name: user.effective.name.text @@ -10049,7 +9954,7 @@ user: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword user.effective.roles: dashed_name: user-effective-roles description: Array of user roles at the time of the event. @@ -10064,23 +9969,21 @@ user: short: Array of user roles at the time of the event. type: keyword user.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email + ignore_above: 1024 level: extended name: email normalize: [] short: User email address. - type: wildcard + type: keyword user.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: user.full_name.text @@ -10090,7 +9993,7 @@ user: name: full_name normalize: [] short: User's full name, if available. - type: wildcard + type: keyword user.group.domain: dashed_name: user-group-domain description: 'Name of the directory the group is a member of. @@ -10151,12 +10054,11 @@ user: short: Unique identifier of the user. type: keyword user.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert flat_name: user.name + ignore_above: 1024 level: core multi_fields: - flat_name: user.name.text @@ -10166,7 +10068,7 @@ user: name: name normalize: [] short: Short name or login of the user. - type: wildcard + type: keyword user.roles: dashed_name: user-roles description: Array of user roles at the time of the event. @@ -10193,24 +10095,22 @@ user: short: Name of the directory the user is a member of. type: keyword user.target.email: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-target-email description: User email address. flat_name: user.target.email + ignore_above: 1024 level: extended name: email normalize: [] original_fieldset: user short: User email address. - type: wildcard + type: keyword user.target.full_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-target-full-name description: User's full name, if available. example: Albert Einstein flat_name: user.target.full_name + ignore_above: 1024 level: extended multi_fields: - flat_name: user.target.full_name.text @@ -10221,7 +10121,7 @@ user: normalize: [] original_fieldset: user short: User's full name, if available. - type: wildcard + type: keyword user.target.group.domain: dashed_name: user-target-group-domain description: 'Name of the directory the group is a member of. @@ -10284,12 +10184,11 @@ user: short: Unique identifier of the user. type: keyword user.target.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-target-name description: Short name or login of the user. example: albert flat_name: user.target.name + ignore_above: 1024 level: core multi_fields: - flat_name: user.target.name.text @@ -10300,7 +10199,7 @@ user: normalize: [] original_fieldset: user short: Short name or login of the user. - type: wildcard + type: keyword user.target.roles: dashed_name: user-target-roles description: Array of user roles at the time of the event. @@ -10399,13 +10298,12 @@ user_agent: short: Name of the user agent. type: keyword user_agent.original: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 flat_name: user_agent.original + ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.original.text @@ -10415,7 +10313,7 @@ user_agent: name: original normalize: [] short: Unparsed user_agent string. - type: wildcard + type: keyword user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -10429,12 +10327,11 @@ user_agent: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave flat_name: user_agent.os.full + ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.os.full.text @@ -10445,7 +10342,7 @@ user_agent: normalize: [] original_fieldset: os short: Operating system name, including the version or code name. - type: wildcard + type: keyword user_agent.os.kernel: dashed_name: user-agent-os-kernel description: Operating system kernel version as a raw string. @@ -10459,12 +10356,11 @@ user_agent: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X flat_name: user_agent.os.name + ignore_above: 1024 level: extended multi_fields: - flat_name: user_agent.os.name.text @@ -10475,7 +10371,7 @@ user_agent: normalize: [] original_fieldset: os short: Operating system name, without the version. - type: wildcard + type: keyword user_agent.os.platform: dashed_name: user-agent-os-platform description: Operating system platform (such centos, ubuntu, windows). @@ -10841,18 +10737,17 @@ x509: short: List of country (C) codes type: keyword x509.issuer.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA flat_name: x509.issuer.distinguished_name + ignore_above: 1024 level: extended name: issuer.distinguished_name normalize: [] short: Distinguished name (DN) of issuing certificate authority. - type: wildcard + type: keyword x509.issuer.locality: dashed_name: x509-issuer-locality description: List of locality names (L) @@ -11017,17 +10912,16 @@ x509: short: List of country (C) code type: keyword x509.subject.distinguished_name: - beta: Note the usage of `wildcard` type is considered beta. This field used - to be type `keyword`. dashed_name: x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net flat_name: x509.subject.distinguished_name + ignore_above: 1024 level: extended name: subject.distinguished_name normalize: [] short: Distinguished name (DN) of the certificate subject entity. - type: wildcard + type: keyword x509.subject.locality: dashed_name: x509-subject-locality description: List of locality names (L) diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 85c3f90970..04000cc76a 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -27,7 +27,8 @@ "build": { "properties": { "original": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -73,7 +74,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } } @@ -83,7 +85,8 @@ "type": "long" }, "domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "geo": { "properties": { @@ -107,7 +110,8 @@ "type": "geo_point" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, @@ -143,7 +147,8 @@ "type": "long" }, "registered_domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "subdomain": { "ignore_above": 1024, @@ -160,7 +165,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -169,7 +175,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -202,7 +209,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, @@ -331,7 +339,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } } @@ -341,7 +350,8 @@ "type": "long" }, "domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "geo": { "properties": { @@ -365,7 +375,8 @@ "type": "geo_point" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, @@ -401,7 +412,8 @@ "type": "long" }, "registered_domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "subdomain": { "ignore_above": 1024, @@ -418,7 +430,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -427,7 +440,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -460,7 +474,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, @@ -548,7 +563,8 @@ "type": "keyword" }, "original_file_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "product": { "ignore_above": 1024, @@ -567,7 +583,8 @@ "type": "keyword" }, "data": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "name": { "ignore_above": 1024, @@ -602,7 +619,8 @@ "type": "keyword" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "registered_domain": { "ignore_above": 1024, @@ -658,16 +676,20 @@ "type": "text" }, "stack_trace": { + "doc_values": false, "fields": { "text": { "norms": false, "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "index": false, + "type": "keyword" }, "type": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -809,7 +831,8 @@ "type": "keyword" }, "directory": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "drive_letter": { "ignore_above": 1, @@ -881,7 +904,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "pe": { "properties": { @@ -906,7 +930,8 @@ "type": "keyword" }, "original_file_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "product": { "ignore_above": 1024, @@ -924,7 +949,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "type": { "ignore_above": 1024, @@ -951,7 +977,8 @@ "type": "keyword" }, "distinguished_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "locality": { "ignore_above": 1024, @@ -1012,7 +1039,8 @@ "type": "keyword" }, "distinguished_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "locality": { "ignore_above": 1024, @@ -1088,7 +1116,8 @@ "type": "geo_point" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, @@ -1101,7 +1130,8 @@ } }, "hostname": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "id": { "ignore_above": 1024, @@ -1131,7 +1161,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "kernel": { "ignore_above": 1024, @@ -1144,7 +1175,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "platform": { "ignore_above": 1024, @@ -1174,7 +1206,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -1183,7 +1216,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -1216,7 +1250,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, @@ -1242,7 +1277,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1262,7 +1298,8 @@ "type": "keyword" }, "referrer": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1280,7 +1317,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1310,7 +1348,8 @@ "file": { "properties": { "path": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1319,7 +1358,8 @@ "type": "keyword" }, "logger": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "origin": { "properties": { @@ -1517,7 +1557,8 @@ "type": "geo_point" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, @@ -1594,7 +1635,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "kernel": { "ignore_above": 1024, @@ -1607,7 +1649,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "platform": { "ignore_above": 1024, @@ -1658,7 +1701,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1753,7 +1797,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "entity_id": { "ignore_above": 1024, @@ -1766,7 +1811,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "exit_code": { "type": "long" @@ -1802,7 +1848,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "parent": { "properties": { @@ -1841,7 +1888,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "entity_id": { "ignore_above": 1024, @@ -1854,7 +1902,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "exit_code": { "type": "long" @@ -1890,7 +1939,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "pe": { "properties": { @@ -1915,7 +1965,8 @@ "type": "keyword" }, "original_file_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "product": { "ignore_above": 1024, @@ -1941,7 +1992,8 @@ "type": "long" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1952,7 +2004,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "uptime": { "type": "long" @@ -1964,7 +2017,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1991,7 +2045,8 @@ "type": "keyword" }, "original_file_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "product": { "ignore_above": 1024, @@ -2017,7 +2072,8 @@ "type": "long" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -2028,7 +2084,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "uptime": { "type": "long" @@ -2040,7 +2097,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -2053,7 +2111,8 @@ "type": "keyword" }, "strings": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "type": { "ignore_above": 1024, @@ -2066,10 +2125,12 @@ "type": "keyword" }, "key": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "path": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "value": { "ignore_above": 1024, @@ -2160,7 +2221,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } } @@ -2170,7 +2232,8 @@ "type": "long" }, "domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "geo": { "properties": { @@ -2194,7 +2257,8 @@ "type": "geo_point" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, @@ -2230,7 +2294,8 @@ "type": "long" }, "registered_domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "subdomain": { "ignore_above": 1024, @@ -2247,7 +2312,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -2256,7 +2322,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -2289,7 +2356,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, @@ -2355,7 +2423,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } } @@ -2365,7 +2434,8 @@ "type": "long" }, "domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "geo": { "properties": { @@ -2389,7 +2459,8 @@ "type": "geo_point" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, @@ -2425,7 +2496,8 @@ "type": "long" }, "registered_domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "subdomain": { "ignore_above": 1024, @@ -2442,7 +2514,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -2451,7 +2524,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -2484,7 +2558,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, @@ -2607,7 +2682,8 @@ } }, "issuer": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "ja3": { "ignore_above": 1024, @@ -2624,7 +2700,8 @@ "type": "keyword" }, "subject": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "supported_ciphers": { "ignore_above": 1024, @@ -2647,7 +2724,8 @@ "type": "keyword" }, "distinguished_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "locality": { "ignore_above": 1024, @@ -2708,7 +2786,8 @@ "type": "keyword" }, "distinguished_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "locality": { "ignore_above": 1024, @@ -2777,7 +2856,8 @@ } }, "issuer": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "ja3s": { "ignore_above": 1024, @@ -2790,7 +2870,8 @@ "type": "date" }, "subject": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "x509": { "properties": { @@ -2809,7 +2890,8 @@ "type": "keyword" }, "distinguished_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "locality": { "ignore_above": 1024, @@ -2870,7 +2952,8 @@ "type": "keyword" }, "distinguished_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "locality": { "ignore_above": 1024, @@ -2927,7 +3010,8 @@ "url": { "properties": { "domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "extension": { "ignore_above": 1024, @@ -2944,7 +3028,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "original": { "fields": { @@ -2953,14 +3038,16 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "password": { "ignore_above": 1024, "type": "keyword" }, "path": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "port": { "type": "long" @@ -2970,7 +3057,8 @@ "type": "keyword" }, "registered_domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "scheme": { "ignore_above": 1024, @@ -2999,7 +3087,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -3008,7 +3097,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -3041,7 +3131,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, @@ -3060,7 +3151,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -3069,7 +3161,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -3102,7 +3195,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, @@ -3111,7 +3205,8 @@ } }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -3120,7 +3215,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -3153,7 +3249,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, @@ -3166,7 +3263,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -3175,7 +3273,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -3208,7 +3307,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, @@ -3239,7 +3339,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "os": { "properties": { @@ -3254,7 +3355,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "kernel": { "ignore_above": 1024, @@ -3267,7 +3369,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "platform": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/agent.json b/generated/elasticsearch/component/agent.json index d7921d9adf..c2b08b44de 100644 --- a/generated/elasticsearch/component/agent.json +++ b/generated/elasticsearch/component/agent.json @@ -11,7 +11,8 @@ "build": { "properties": { "original": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/elasticsearch/component/client.json b/generated/elasticsearch/component/client.json index c0840d578f..4813913258 100644 --- a/generated/elasticsearch/component/client.json +++ b/generated/elasticsearch/component/client.json @@ -26,7 +26,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } } @@ -36,7 +37,8 @@ "type": "long" }, "domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "geo": { "properties": { @@ -60,7 +62,8 @@ "type": "geo_point" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, @@ -96,7 +99,8 @@ "type": "long" }, "registered_domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "subdomain": { "ignore_above": 1024, @@ -113,7 +117,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -122,7 +127,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -155,7 +161,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/destination.json b/generated/elasticsearch/component/destination.json index cf63935a0a..c73b493e86 100644 --- a/generated/elasticsearch/component/destination.json +++ b/generated/elasticsearch/component/destination.json @@ -26,7 +26,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } } @@ -36,7 +37,8 @@ "type": "long" }, "domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "geo": { "properties": { @@ -60,7 +62,8 @@ "type": "geo_point" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, @@ -96,7 +99,8 @@ "type": "long" }, "registered_domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "subdomain": { "ignore_above": 1024, @@ -113,7 +117,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -122,7 +127,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -155,7 +161,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json index 5c4ff06d3f..00e5bc3428 100644 --- a/generated/elasticsearch/component/dll.json +++ b/generated/elasticsearch/component/dll.json @@ -84,7 +84,8 @@ "type": "keyword" }, "original_file_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "product": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/dns.json b/generated/elasticsearch/component/dns.json index f66115ccb1..a27dd8b739 100644 --- a/generated/elasticsearch/component/dns.json +++ b/generated/elasticsearch/component/dns.json @@ -15,7 +15,8 @@ "type": "keyword" }, "data": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "name": { "ignore_above": 1024, @@ -50,7 +51,8 @@ "type": "keyword" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "registered_domain": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/error.json b/generated/elasticsearch/component/error.json index 328259dd49..1364cd968c 100644 --- a/generated/elasticsearch/component/error.json +++ b/generated/elasticsearch/component/error.json @@ -21,16 +21,20 @@ "type": "text" }, "stack_trace": { + "doc_values": false, "fields": { "text": { "norms": false, "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "index": false, + "type": "keyword" }, "type": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } } diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json index 10b9ed8f62..ddabf1bb60 100644 --- a/generated/elasticsearch/component/file.json +++ b/generated/elasticsearch/component/file.json @@ -47,7 +47,8 @@ "type": "keyword" }, "directory": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "drive_letter": { "ignore_above": 1, @@ -119,7 +120,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "pe": { "properties": { @@ -144,7 +146,8 @@ "type": "keyword" }, "original_file_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "product": { "ignore_above": 1024, @@ -162,7 +165,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "type": { "ignore_above": 1024, @@ -189,7 +193,8 @@ "type": "keyword" }, "distinguished_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "locality": { "ignore_above": 1024, @@ -250,7 +255,8 @@ "type": "keyword" }, "distinguished_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "locality": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json index c0e3c0fcf5..3d0b3a8cf8 100644 --- a/generated/elasticsearch/component/host.json +++ b/generated/elasticsearch/component/host.json @@ -38,7 +38,8 @@ "type": "geo_point" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, @@ -51,7 +52,8 @@ } }, "hostname": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "id": { "ignore_above": 1024, @@ -81,7 +83,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "kernel": { "ignore_above": 1024, @@ -94,7 +97,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "platform": { "ignore_above": 1024, @@ -124,7 +128,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -133,7 +138,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -166,7 +172,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/http.json b/generated/elasticsearch/component/http.json index d208148bdb..daff315854 100644 --- a/generated/elasticsearch/component/http.json +++ b/generated/elasticsearch/component/http.json @@ -22,7 +22,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -42,7 +43,8 @@ "type": "keyword" }, "referrer": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -60,7 +62,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/elasticsearch/component/log.json b/generated/elasticsearch/component/log.json index b699db361d..43bf92832c 100644 --- a/generated/elasticsearch/component/log.json +++ b/generated/elasticsearch/component/log.json @@ -11,7 +11,8 @@ "file": { "properties": { "path": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -20,7 +21,8 @@ "type": "keyword" }, "logger": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "origin": { "properties": { diff --git a/generated/elasticsearch/component/observer.json b/generated/elasticsearch/component/observer.json index 30dce73707..049625241b 100644 --- a/generated/elasticsearch/component/observer.json +++ b/generated/elasticsearch/component/observer.json @@ -67,7 +67,8 @@ "type": "geo_point" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, @@ -144,7 +145,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "kernel": { "ignore_above": 1024, @@ -157,7 +159,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "platform": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/organization.json b/generated/elasticsearch/component/organization.json index d9cb399e89..8d218314ee 100644 --- a/generated/elasticsearch/component/organization.json +++ b/generated/elasticsearch/component/organization.json @@ -19,7 +19,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } } diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json index f214a3c6bd..4983b405b0 100644 --- a/generated/elasticsearch/component/process.json +++ b/generated/elasticsearch/component/process.json @@ -43,7 +43,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "entity_id": { "ignore_above": 1024, @@ -56,7 +57,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "exit_code": { "type": "long" @@ -92,7 +94,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "parent": { "properties": { @@ -131,7 +134,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "entity_id": { "ignore_above": 1024, @@ -144,7 +148,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "exit_code": { "type": "long" @@ -180,7 +185,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "pe": { "properties": { @@ -205,7 +211,8 @@ "type": "keyword" }, "original_file_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "product": { "ignore_above": 1024, @@ -231,7 +238,8 @@ "type": "long" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -242,7 +250,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "uptime": { "type": "long" @@ -254,7 +263,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -281,7 +291,8 @@ "type": "keyword" }, "original_file_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "product": { "ignore_above": 1024, @@ -307,7 +318,8 @@ "type": "long" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } }, @@ -318,7 +330,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "uptime": { "type": "long" @@ -330,7 +343,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } } diff --git a/generated/elasticsearch/component/registry.json b/generated/elasticsearch/component/registry.json index 0ed4b2c47c..c7daf11d16 100644 --- a/generated/elasticsearch/component/registry.json +++ b/generated/elasticsearch/component/registry.json @@ -15,7 +15,8 @@ "type": "keyword" }, "strings": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "type": { "ignore_above": 1024, @@ -28,10 +29,12 @@ "type": "keyword" }, "key": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "path": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "value": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/server.json b/generated/elasticsearch/component/server.json index 39f925b650..bdd746f660 100644 --- a/generated/elasticsearch/component/server.json +++ b/generated/elasticsearch/component/server.json @@ -26,7 +26,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } } @@ -36,7 +37,8 @@ "type": "long" }, "domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "geo": { "properties": { @@ -60,7 +62,8 @@ "type": "geo_point" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, @@ -96,7 +99,8 @@ "type": "long" }, "registered_domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "subdomain": { "ignore_above": 1024, @@ -113,7 +117,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -122,7 +127,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -155,7 +161,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/source.json b/generated/elasticsearch/component/source.json index 5a00a9eb52..cb236d53f0 100644 --- a/generated/elasticsearch/component/source.json +++ b/generated/elasticsearch/component/source.json @@ -26,7 +26,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" } } } @@ -36,7 +37,8 @@ "type": "long" }, "domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "geo": { "properties": { @@ -60,7 +62,8 @@ "type": "geo_point" }, "name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "region_iso_code": { "ignore_above": 1024, @@ -96,7 +99,8 @@ "type": "long" }, "registered_domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "subdomain": { "ignore_above": 1024, @@ -113,7 +117,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -122,7 +127,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -155,7 +161,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/tls.json b/generated/elasticsearch/component/tls.json index 35a5c46faf..4621cedde0 100644 --- a/generated/elasticsearch/component/tls.json +++ b/generated/elasticsearch/component/tls.json @@ -39,7 +39,8 @@ } }, "issuer": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "ja3": { "ignore_above": 1024, @@ -56,7 +57,8 @@ "type": "keyword" }, "subject": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "supported_ciphers": { "ignore_above": 1024, @@ -79,7 +81,8 @@ "type": "keyword" }, "distinguished_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "locality": { "ignore_above": 1024, @@ -140,7 +143,8 @@ "type": "keyword" }, "distinguished_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "locality": { "ignore_above": 1024, @@ -209,7 +213,8 @@ } }, "issuer": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "ja3s": { "ignore_above": 1024, @@ -222,7 +227,8 @@ "type": "date" }, "subject": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "x509": { "properties": { @@ -241,7 +247,8 @@ "type": "keyword" }, "distinguished_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "locality": { "ignore_above": 1024, @@ -302,7 +309,8 @@ "type": "keyword" }, "distinguished_name": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "locality": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/url.json b/generated/elasticsearch/component/url.json index 0975aa95ce..8b7b56aa0d 100644 --- a/generated/elasticsearch/component/url.json +++ b/generated/elasticsearch/component/url.json @@ -9,7 +9,8 @@ "url": { "properties": { "domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "extension": { "ignore_above": 1024, @@ -26,7 +27,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "original": { "fields": { @@ -35,14 +37,16 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "password": { "ignore_above": 1024, "type": "keyword" }, "path": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "port": { "type": "long" @@ -52,7 +56,8 @@ "type": "keyword" }, "registered_domain": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "scheme": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/user.json b/generated/elasticsearch/component/user.json index 02dee92890..af3bc6bf2f 100644 --- a/generated/elasticsearch/component/user.json +++ b/generated/elasticsearch/component/user.json @@ -15,7 +15,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -24,7 +25,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -57,7 +59,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, @@ -76,7 +79,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -85,7 +89,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -118,7 +123,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, @@ -127,7 +133,8 @@ } }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -136,7 +143,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -169,7 +177,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, @@ -182,7 +191,8 @@ "type": "keyword" }, "email": { - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "full_name": { "fields": { @@ -191,7 +201,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "group": { "properties": { @@ -224,7 +235,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "roles": { "ignore_above": 1024, diff --git a/generated/elasticsearch/component/user_agent.json b/generated/elasticsearch/component/user_agent.json index 6ecb7d46e4..be9177da45 100644 --- a/generated/elasticsearch/component/user_agent.json +++ b/generated/elasticsearch/component/user_agent.json @@ -27,7 +27,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "os": { "properties": { @@ -42,7 +43,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "kernel": { "ignore_above": 1024, @@ -55,7 +57,8 @@ "type": "text" } }, - "type": "wildcard" + "ignore_above": 1024, + "type": "keyword" }, "platform": { "ignore_above": 1024, diff --git a/schemas/agent.yml b/schemas/agent.yml index ada014aecb..a7758e90ce 100644 --- a/schemas/agent.yml +++ b/schemas/agent.yml @@ -24,9 +24,8 @@ - name: build.original level: core - type: wildcard + type: keyword short: Extended build information for the agent. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Extended build information for the agent. diff --git a/schemas/as.yml b/schemas/as.yml index 0094a46a9a..952d7febeb 100644 --- a/schemas/as.yml +++ b/schemas/as.yml @@ -29,8 +29,7 @@ - name: organization.name level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: > Organization name. example: Google LLC diff --git a/schemas/client.yml b/schemas/client.yml index b61329316e..e63ab70276 100644 --- a/schemas/client.yml +++ b/schemas/client.yml @@ -53,16 +53,14 @@ - name: domain level: core - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: > Client domain. - name: registered_domain level: extended - type: wildcard + type: keyword short: The highest registered client domain, stripped of the subdomain. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The highest registered client domain, stripped of the subdomain. diff --git a/schemas/destination.yml b/schemas/destination.yml index ab6979e346..a1e91958f7 100644 --- a/schemas/destination.yml +++ b/schemas/destination.yml @@ -48,15 +48,13 @@ - name: domain level: core - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: > Destination domain. - name: registered_domain level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword short: The highest registered destination domain, stripped of the subdomain. description: > The highest registered destination domain, stripped of the subdomain. diff --git a/schemas/dns.yml b/schemas/dns.yml index 220a723967..afe11a190a 100644 --- a/schemas/dns.yml +++ b/schemas/dns.yml @@ -66,9 +66,8 @@ - name: question.name level: extended - type: wildcard + type: keyword short: The name being queried. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The name being queried. @@ -186,9 +185,8 @@ - name: answers.data level: extended - type: wildcard + type: keyword short: The data describing the resource. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The data describing the resource. diff --git a/schemas/error.yml b/schemas/error.yml index b1ae66f588..7d96f09a4b 100644 --- a/schemas/error.yml +++ b/schemas/error.yml @@ -31,16 +31,15 @@ - name: type level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword example: java.lang.NullPointerException description: > The type of the error, for example the class name of the exception. - name: stack_trace level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword + index: false description: > The stack trace of this error in plain text. multi_fields: diff --git a/schemas/file.yml b/schemas/file.yml index 419116c8da..545b4661fa 100644 --- a/schemas/file.yml +++ b/schemas/file.yml @@ -33,9 +33,8 @@ - name: directory level: extended - type: wildcard + type: keyword short: Directory where the file is located. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Directory where the file is located. It should include the drive letter, when appropriate. @@ -54,9 +53,8 @@ - name: path level: extended - type: wildcard + type: keyword short: Full path to the file, including the file name. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Full path to the file, including the file name. It should include the drive letter, when appropriate. @@ -67,8 +65,7 @@ - name: target_path level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: Target path for symlinks. multi_fields: - type: text diff --git a/schemas/geo.yml b/schemas/geo.yml index a6654d982f..347d60829e 100644 --- a/schemas/geo.yml +++ b/schemas/geo.yml @@ -71,9 +71,8 @@ - name: name level: extended - type: wildcard + type: keyword short: User-defined description of a location. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > User-defined description of a location, at the level of granularity they care about. diff --git a/schemas/host.yml b/schemas/host.yml index f751d9b3ff..2fdbd9e4f7 100644 --- a/schemas/host.yml +++ b/schemas/host.yml @@ -14,9 +14,8 @@ - name: hostname level: core - type: wildcard + type: keyword short: Hostname of the host. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Hostname of the host. diff --git a/schemas/http.yml b/schemas/http.yml index 75475199b4..1a5531e5a5 100644 --- a/schemas/http.yml +++ b/schemas/http.yml @@ -15,9 +15,9 @@ description: > A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. - + The id may be contained in a non-standard HTTP header, such as `X-Request-ID` - or `X-Correlation-ID`. + or `X-Correlation-ID`. example: 123e4567-e89b-12d3-a456-426614174000 @@ -55,8 +55,7 @@ - name: request.body.content level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: > The full HTTP request body. example: Hello world @@ -66,8 +65,7 @@ - name: request.referrer level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: > Referrer for this HTTP request. example: https://blog.example.com/ @@ -96,8 +94,7 @@ - name: response.body.content level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: > The full HTTP response body. example: Hello world diff --git a/schemas/log.yml b/schemas/log.yml index 991b9235a0..fed4c063dd 100644 --- a/schemas/log.yml +++ b/schemas/log.yml @@ -31,9 +31,8 @@ - name: file.path level: extended - type: wildcard + type: keyword short: Full path to the log file this event came from. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -64,10 +63,9 @@ - name: logger level: core - type: wildcard + type: keyword example: org.elasticsearch.bootstrap.Bootstrap short: Name of the logger. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. diff --git a/schemas/organization.yml b/schemas/organization.yml index 4eee9ce663..dcd2358927 100644 --- a/schemas/organization.yml +++ b/schemas/organization.yml @@ -14,8 +14,7 @@ - name: name level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: > Organization name. multi_fields: diff --git a/schemas/os.yml b/schemas/os.yml index 9a93fd933b..8b8cfcdad7 100644 --- a/schemas/os.yml +++ b/schemas/os.yml @@ -36,9 +36,8 @@ - name: name level: extended - type: wildcard + type: keyword example: "Mac OS X" - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Operating system name, without the version. multi_fields: @@ -47,9 +46,8 @@ - name: full level: extended - type: wildcard + type: keyword example: "Mac OS Mojave" - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Operating system name, including the version or code name. multi_fields: diff --git a/schemas/pe.yml b/schemas/pe.yml index 8a7e2ddaf8..126fb16136 100644 --- a/schemas/pe.yml +++ b/schemas/pe.yml @@ -13,8 +13,7 @@ fields: - name: original_file_name level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE diff --git a/schemas/process.yml b/schemas/process.yml index 8c9661cebd..13ec63c07f 100644 --- a/schemas/process.yml +++ b/schemas/process.yml @@ -44,9 +44,8 @@ - name: name level: extended - type: wildcard + type: keyword short: Process name. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Process name. @@ -73,9 +72,8 @@ - name: command_line level: extended - type: wildcard + type: keyword short: Full command line that started the process. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -112,8 +110,7 @@ - name: executable level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: > Absolute path to the process executable. example: /usr/bin/ssh @@ -123,9 +120,8 @@ - name: title level: extended - type: wildcard + type: keyword short: Process title. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Process title. @@ -145,8 +141,7 @@ - name: thread.name level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword example: 'thread-0' description: > Thread name. @@ -167,9 +162,8 @@ - name: working_directory level: extended - type: wildcard + type: keyword example: /home/alice - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The working directory of the process. multi_fields: diff --git a/schemas/registry.yml b/schemas/registry.yml index 576727087e..bf8670d84e 100644 --- a/schemas/registry.yml +++ b/schemas/registry.yml @@ -14,8 +14,7 @@ - name: key level: core - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -27,8 +26,7 @@ - name: path level: core - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger @@ -40,9 +38,8 @@ - name: data.strings level: core - type: wildcard + type: keyword short: List of strings representing what was written to the registry. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. example: '["C:\rta\red_ttp\bin\myapp.exe"]' description: > Content when writing string types. diff --git a/schemas/server.yml b/schemas/server.yml index b8d6924696..867b3bd03c 100644 --- a/schemas/server.yml +++ b/schemas/server.yml @@ -53,15 +53,13 @@ - name: domain level: core - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: > Server domain. - name: registered_domain level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword short: The highest registered server domain, stripped of the subdomain. description: > The highest registered server domain, stripped of the subdomain. diff --git a/schemas/source.yml b/schemas/source.yml index 581d5c062b..268b975312 100644 --- a/schemas/source.yml +++ b/schemas/source.yml @@ -48,16 +48,14 @@ - name: domain level: core - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: > Source domain. - name: registered_domain level: extended - type: wildcard + type: keyword short: The highest registered source domain, stripped of the subdomain. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The highest registered source domain, stripped of the subdomain. diff --git a/schemas/tls.yml b/schemas/tls.yml index 781aafb66e..3ecacb041a 100644 --- a/schemas/tls.yml +++ b/schemas/tls.yml @@ -78,16 +78,14 @@ - array - name: client.subject - type: wildcard + type: keyword level: extended - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Distinguished name of subject of the x.509 certificate presented by the client. example: "CN=myclient, OU=Documentation Team, DC=example, DC=com" - name: client.issuer - type: wildcard + type: keyword level: extended - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com" @@ -159,16 +157,14 @@ example: 394441ab65754e2207b1e1b457b3641d - name: server.subject - type: wildcard + type: keyword level: extended - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Subject of the x.509 certificate presented by the server. example: "CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com" - name: server.issuer - type: wildcard + type: keyword level: extended - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: Subject of the issuer of the x.509 certificate presented by the server. example: "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com" diff --git a/schemas/url.yml b/schemas/url.yml index a264e59395..88a0278891 100644 --- a/schemas/url.yml +++ b/schemas/url.yml @@ -10,8 +10,7 @@ - name: original level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword short: Unmodified original url as seen in the event source. description: > Unmodified original url as seen in the event source. @@ -29,9 +28,8 @@ - name: full level: extended - type: wildcard + type: keyword short: Full unparsed URL. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the @@ -53,9 +51,8 @@ - name: domain level: extended - type: wildcard + type: keyword short: Domain of the url. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Domain of the url, such as "www.elastic.co". @@ -68,9 +65,8 @@ - name: registered_domain level: extended - type: wildcard + type: keyword short: The highest registered url domain, stripped of the subdomain. - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > The highest registered url domain, stripped of the subdomain. @@ -120,8 +116,7 @@ - name: path level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: > Path of the request, such as "/search". diff --git a/schemas/user.yml b/schemas/user.yml index 6e010627cf..0fe7a32411 100644 --- a/schemas/user.yml +++ b/schemas/user.yml @@ -48,9 +48,8 @@ - name: name level: core - type: wildcard + type: keyword example: albert - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. description: > Short name or login of the user. multi_fields: @@ -59,8 +58,7 @@ - name: full_name level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword example: Albert Einstein description: > User's full name, if available. @@ -70,8 +68,7 @@ - name: email level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: > User email address. diff --git a/schemas/user_agent.yml b/schemas/user_agent.yml index 84388859cf..9c18c20827 100644 --- a/schemas/user_agent.yml +++ b/schemas/user_agent.yml @@ -12,8 +12,7 @@ - name: original level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword multi_fields: - type: text name: text diff --git a/schemas/x509.yml b/schemas/x509.yml index a36e8a91a1..124551c96c 100644 --- a/schemas/x509.yml +++ b/schemas/x509.yml @@ -37,8 +37,7 @@ - name: issuer.distinguished_name level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -114,8 +113,7 @@ - name: subject.distinguished_name level: extended - type: wildcard - beta: Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. + type: keyword description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/use-cases/auditbeat.md b/use-cases/auditbeat.md index 15e2935a61..dff825a597 100644 --- a/use-cases/auditbeat.md +++ b/use-cases/auditbeat.md @@ -9,8 +9,8 @@ ECS usage in Auditbeat. |---|---|---|---|---| | [event.module](../README.md#event.module) | Auditbeat module name. | core | keyword | `apache` | | *file.** | *File attributes.
* | | | | -| [file.path](../README.md#file.path) | The path to the file. | extended | wildcard | `/home/alice/example.png` | -| [file.target_path](../README.md#file.target_path) | The target path for symlinks. | extended | wildcard | | +| [file.path](../README.md#file.path) | The path to the file. | extended | keyword | `/home/alice/example.png` | +| [file.target_path](../README.md#file.target_path) | The target path for symlinks. | extended | keyword | | | [file.type](../README.md#file.type) | The file type (file, dir, or symlink). | extended | keyword | `file` | | [file.device](../README.md#file.device) | The device. | extended | keyword | `sda` | | [file.inode](../README.md#file.inode) | The inode representing the file in the filesystem. | extended | keyword | `256383` | diff --git a/use-cases/filebeat-apache-access.md b/use-cases/filebeat-apache-access.md index 293c2fb190..a9ef41840f 100644 --- a/use-cases/filebeat-apache-access.md +++ b/use-cases/filebeat-apache-access.md @@ -13,7 +13,7 @@ ECS fields used in Filebeat for the apache module. | [event.module](../README.md#event.module) | Currently fileset.module | core | keyword | `apache` | | [event.dataset](../README.md#event.dataset) | Currenly fileset.name | core | keyword | `access` | | [source.ip](../README.md#source.ip) | Source ip of the request. Currently apache.access.remote_ip | core | ip | `192.168.1.1` | -| [user.name](../README.md#user.name) | User name in the request. Currently apache.access.user_name | core | wildcard | `ruflin` | +| [user.name](../README.md#user.name) | User name in the request. Currently apache.access.user_name | core | keyword | `ruflin` | | *http.method* | *Http method, currently apache.access.method* | (use case) | keyword | `GET` | | *http.url* | *Http url, currently apache.access.url* | (use case) | keyword | `http://elastic.co/` | | [http.version](../README.md#http.version) | Http version, currently apache.access.http_version | extended | keyword | `1.1` | @@ -21,7 +21,7 @@ ECS fields used in Filebeat for the apache module. | *http.response.body_sent.bytes* | *Http response body bytes sent, currently apache.access.body_sent.bytes* | (use case) | long | `117` | | *http.referer* | *Http referrer code, currently apache.access.referrer
NOTE: In the RFC its misspell as referer and has become accepted standard* | (use case) | keyword | `http://elastic.co/` | | *user_agent.** | *User agent fields as in schema. Currently under apache.access.user_agent.*
* | | | | -| [user_agent.original](../README.md#user_agent.original) | Original user agent. Currently apache.access.agent | extended | wildcard | `http://elastic.co/` | +| [user_agent.original](../README.md#user_agent.original) | Original user agent. Currently apache.access.agent | extended | keyword | `http://elastic.co/` | | *geoip.** | *User agent fields as in schema. Currently under apache.access.geoip.*
These are extracted from source.ip
Should they be under source.geoip?
* | | | | | *geoip....* | *All geoip fields.* | (use case) | keyword | | diff --git a/use-cases/kubernetes.md b/use-cases/kubernetes.md index 057ed289cb..5588da6060 100644 --- a/use-cases/kubernetes.md +++ b/use-cases/kubernetes.md @@ -10,7 +10,7 @@ You can monitor containers running in a Kubernetes cluster by adding Kubernetes- |---|---|---|---|---| | [container.id](../README.md#container.id) | Unique container id. | core | keyword | `fdbef803fa2b` | | [container.name](../README.md#container.name) | Container name. | extended | keyword | | -| [host.hostname](../README.md#host.hostname) | Hostname of the host.
It normally contains what the `hostname` command returns on the host machine. | core | wildcard | `kube-high-cpu-42` | +| [host.hostname](../README.md#host.hostname) | Hostname of the host.
It normally contains what the `hostname` command returns on the host machine. | core | keyword | `kube-high-cpu-42` | | *kubernetes.pod.name* | *Kubernetes pod name* | (use case) | keyword | `foo-webserver` | | *kubernetes.namespace* | *Kubernetes namespace* | (use case) | keyword | `foo-team` | | *kubernetes.labels* | *Kubernetes labels map* | (use case) | object | | diff --git a/use-cases/metricbeat.md b/use-cases/metricbeat.md index 79b3369efd..c573a7897e 100644 --- a/use-cases/metricbeat.md +++ b/use-cases/metricbeat.md @@ -21,7 +21,7 @@ ECS fields used Metricbeat. | *error.** | *Error namespace
Use for errors which can happen during fetching information for a service.
* | | | | | [error.message](../README.md#error.message) | Error message returned by the service during fetching metrics. | core | text | | | [error.code](../README.md#error.code) | Error code returned by the service during fetching metrics. | core | keyword | | -| [host.hostname](../README.md#host.hostname) | Hostname of the system metricbeat is running on or user defined name. | core | wildcard | | +| [host.hostname](../README.md#host.hostname) | Hostname of the system metricbeat is running on or user defined name. | core | keyword | | | *host.timezone.offset.sec* | *Timezone offset of the host in seconds.* | (use case) | long | | | [host.id](../README.md#host.id) | Unique host id. | core | keyword | | | [event.module](../README.md#event.module) | Name of the module this data is coming from. | core | keyword | `mysql` | diff --git a/use-cases/web-logs.md b/use-cases/web-logs.md index d70944b48c..57f9a96062 100644 --- a/use-cases/web-logs.md +++ b/use-cases/web-logs.md @@ -12,12 +12,12 @@ Using the fields as represented here is not expected to conflict with ECS, but m | [@timestamp](../README.md#@timestamp) | Time at which the response was sent, and the web server log created. | core | date | `2016-05-23T08:05:34.853Z` | | *http.** | *Fields related to HTTP requests and responses.
* | | | | | [http.request.method](../README.md#http.request.method) | Http request method. | extended | keyword | `GET, POST, PUT` | -| [http.request.referrer](../README.md#http.request.referrer) | Referrer for this HTTP request. | extended | wildcard | `https://blog.example.com/` | +| [http.request.referrer](../README.md#http.request.referrer) | Referrer for this HTTP request. | extended | keyword | `https://blog.example.com/` | | [http.response.status_code](../README.md#http.response.status_code) | Http response status code. | extended | long | `404` | -| [http.response.body.content](../README.md#http.response.body.content) | The full http response body. | extended | wildcard | `Hello world` | +| [http.response.body.content](../README.md#http.response.body.content) | The full http response body. | extended | keyword | `Hello world` | | [http.version](../README.md#http.version) | Http version. | extended | keyword | `1.1` | | *user_agent.** | *The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
* | | | | -| [user_agent.original](../README.md#user_agent.original) | Unparsed version of the user_agent. | extended | wildcard | `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1` | +| [user_agent.original](../README.md#user_agent.original) | Unparsed version of the user_agent. | extended | keyword | `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1` | | *user_agent.device* | *Name of the physical device.* | (use case) | keyword | | | [user_agent.version](../README.md#user_agent.version) | Version of the physical device. | extended | keyword | `12.0` | | *user_agent.major* | *Major version of the user agent.* | (use case) | long | | From 324c0bc0e8fe1e1014bf2ffbbb28b8008d189355 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 2 Feb 2021 14:34:54 -0600 Subject: [PATCH 73/90] Add scaled_float type to go generator (#1250) (#1251) * add scaled_float * changelog --- CHANGELOG.next.md | 1 + scripts/cmd/gocodegen/gocodegen.go | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 90e3574f3f..bc78ca8138 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -33,6 +33,7 @@ Thanks, you're awesome :-) --> #### Bugfixes * Clean up `event.reference` description. #1181 +* Go code generator fails if `scaled_float` type is used. #1250 #### Added diff --git a/scripts/cmd/gocodegen/gocodegen.go b/scripts/cmd/gocodegen/gocodegen.go index 8fff5ed5d9..4ec88739f9 100644 --- a/scripts/cmd/gocodegen/gocodegen.go +++ b/scripts/cmd/gocodegen/gocodegen.go @@ -280,7 +280,7 @@ func goDataType(fieldName, elasticsearchDataType string) string { return "int64" case "integer": return "int32" - case "float": + case "float", "scaled_float": return "float64" case "date": return "time.Time" From c8aea733031d0f4919673ee8c3c43a2848e82c25 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 10 Feb 2021 15:00:38 -0600 Subject: [PATCH 74/90] Add categorization fields usage docs (#1242) (#1257) --- docs/field-values-usage.asciidoc | 175 ++++++++++++++++++++++++++++++ docs/field-values.asciidoc | 10 ++ scripts/templates/field_values.j2 | 9 ++ 3 files changed, 194 insertions(+) create mode 100644 docs/field-values-usage.asciidoc diff --git a/docs/field-values-usage.asciidoc b/docs/field-values-usage.asciidoc new file mode 100644 index 0000000000..88905ba3bc --- /dev/null +++ b/docs/field-values-usage.asciidoc @@ -0,0 +1,175 @@ +[[ecs-using-the-categorization-fields]] +=== Using the Categorization Fields + +The event categorization fields work together to identify and group similar events from multiple data sources. + +These general principles can help guide the categorization process: + +* Events from multiple data sources that are similar enough to be viewed or analyzed together, should fall into the same `event.category` field. +* Both `event.category` and `event.type` are arrays and may be populated with multiple allowed values, if the event can be reasonably classified into more than one category and/or type. +* `event.kind`, `event.category`, `event.type` and `event.outcome` all have allowed values. This is to normalize these fields. Values that aren't in the list of allowed values should not be used. +* Values of `event.outcome` are a very limited set to indicate success or failure. Domain-specific actions, such as deny and allow, that could be considered outcomes are not + captured in the `event.outcome` field, but rather in the `event.type` and/or `event.action` fields. +* Values of `event.category`, `event.type`, and `event.outcome` are consistent across all values of `event.kind`. +* When a specific event doesn't fit into any of the defined allowed categorization values, the field should be left empty. + +The following examples detail populating the categorization fields and provides some context for the classification decisions. + +[float] +==== Firewall blocking a network connection + +This event from a firewall describes a successfully blocked network connection: + +[source,json] +---- +... + { + "source": { + "address": "10.42.42.42", + "ip": "10.42.42.42", + "port": 38842 + }, + "destination": { + "address": "10.42.42.1", + "ip": "10.42.42.1", + "port": 443 + }, + "rule": { + "name": "wan-lan", + "id": "default" + }, + ... + "event": { + "kind": "event", <1> + "category": [ <2> + "network" + ], + "type": [ <3> + "connection", + "denied" + ], + "outcome": "success", <4> + "action": "dropped" <5> + } + } +... +---- + +<1> Classifying as an `event`. +<2> `event.category` categorizes this event as `network` activity. +<3> The event was both an attempted network `connection` and was `denied`. +<4> The blocking of this connection is expected. The outcome is a `success` from the perspective of the firewall emitting the event. +<5> The firewall classifies this denied connection as `dropped`, and this value is captured in `event.action`. + +A "denied" network connection could fall under different action values: "blocked", "dropped", "quarantined", etc. The `event.action` field captures the action taken as described by the source, and populating `event.type:denied` provides an independent, normalized value. + +A single query will return all denied network connections which have been normalized with the same categorization values: + +[source,sh] +---- +event.category:network AND event.type:denied +---- + +[float] +==== Failed attempt to create a user account + +User `alice` attempts to add a user account, `bob`, into a directory service, but the action fails: + +[source,json] +---- +{ + "user": { + "name": "alice", + "target": { + "name": "bob" + } + }, + "event": { + "kind": "event", <1> + "category": [ <2> + "iam" + ], + "type": [ <3> + "user", + "creation" + ], + "outcome": "failure" <4> + } +} +---- + +<1> Again classifying as an `event`. +<2> Categorized using `iam` for an event user account activity. +<3> Both `user` and `creation` +<4> The creation of a user account was attempted, but it was not successful. + +[float] +==== Informational listing of a file + +A utility, such as a file integrity monitoring (FIM) application, takes inventory of a file but does not access or modify the file: + +[source,json] +---- +{ + "file": { + "name": "example.png", + "owner": "alice", + "path": "/home/alice/example.png", + "type": "file" + }, + "event": { + "kind": "event", <1> + "category": [ <2> + "file" + ], + "type": [ <3> + "info" + ] + } +} +---- + +<1> Classifying as `event`. +<2> The event is reporting on a `file`. +<3> The `info` type categorizes purely informational events. The target file here was not accessed or modified. + +The source data didn't include any context around the event's outcome, so `event.outcome` should not be populated. + +[float] +=== Security application failed to block a network connection + +An intrusion detection system (IDS) attempts to block a connection but fails. The event emitted by the IDS is considered an alert: + +[source,json] +---- +{ + "source": { + "address": "10.42.42.42", + "ip": "10.42.42.42", + "port": 38842 + }, + "destination": { + "address": "10.42.42.1", + "ip": "10.42.42.1", + "port": 443 + }, + ... + "event": { + "kind": "alert", <1> + "category": [ <2> + "intrusion_detection", + "network" + ], + "type": [ <3> + "connection", + "denied" + ], + "outcome": "failure" <4> + } +} +---- + +<1> The IDS emitted this event when a detection rule generated an alert. The `event.kind` is set to `alert`. +<2> With the event emitted from a network IDS device, the event is categorized both as `network` and `intrusion_detection`. +<3> The alert event is a `connection` that was `denied` by the IDS' configuration. +<4> The IDS experienced an issue when attempting to deny the connection. Since the action taken by the IDS failed, the outcome is set as `failure`. diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index 2ff082fd3f..0b40b191ec 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -22,6 +22,13 @@ NOTE: If your events don't match any of these categorization values, you should leave the fields empty. This will ensure you can start populating the fields once the appropriate categorization values are published, in a later release. +[float] +[[ecs-category-usage]] +=== Categorization Usage + +<> contains examples combining the categorization fields to classify different types of events. + + [[ecs-allowed-values-event-kind]] === ECS Categorization Field: event.kind @@ -517,3 +524,6 @@ Indicates that this event describes a successful result. A common example is `ev Indicates that this event describes only an attempt for which the result is unknown from the perspective of the event producer. For example, if the event contains information only about the request side of a transaction that results in a response, populating `event.outcome:unknown` in the request event is appropriate. The unknown value should not be used when an outcome doesn't make logical sense for the event. In such cases `event.outcome` should not be populated. + + +include::field-values-usage.asciidoc[] \ No newline at end of file diff --git a/scripts/templates/field_values.j2 b/scripts/templates/field_values.j2 index 4789c00e09..488a2793e9 100644 --- a/scripts/templates/field_values.j2 +++ b/scripts/templates/field_values.j2 @@ -21,6 +21,13 @@ ECS defines four categorization fields for this purpose, each of which falls und NOTE: If your events don't match any of these categorization values, you should leave the fields empty. This will ensure you can start populating the fields once the appropriate categorization values are published, in a later release. + +[float] +[[ecs-category-usage]] +=== Categorization Usage + +<> contains examples combining the categorization fields to classify different types of events. + {% for field in fields %} [[ecs-allowed-values-{{ field['dashed_name'] }}]] === ECS Categorization Field: {{ field['flat_name'] }} @@ -45,3 +52,5 @@ once the appropriate categorization values are published, in a later release. {% endif %} {% endfor %} {%- endfor %} + +include::field-values-usage.asciidoc[] From 90db3126296b534bcfb860ff7a3e6f4e30e9e346 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 10 Feb 2021 15:28:43 -0600 Subject: [PATCH 75/90] add time_zone, postal_code, and continent_code (#1229) (#1258) --- CHANGELOG.next.md | 1 + code/go/ecs/geo.go | 11 + docs/field-details.asciidoc | 50 ++++ experimental/generated/beats/fields.ecs.yml | 168 +++++++++++ experimental/generated/csv/fields.csv | 18 ++ experimental/generated/ecs/ecs_flat.yml | 234 +++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 270 ++++++++++++++++++ .../generated/elasticsearch/7/template.json | 72 +++++ .../elasticsearch/component/client.json | 12 + .../elasticsearch/component/destination.json | 12 + .../elasticsearch/component/host.json | 12 + .../elasticsearch/component/observer.json | 12 + .../elasticsearch/component/server.json | 12 + .../elasticsearch/component/source.json | 12 + generated/beats/fields.ecs.yml | 168 +++++++++++ generated/csv/fields.csv | 18 ++ generated/ecs/ecs_flat.yml | 234 +++++++++++++++ generated/ecs/ecs_nested.yml | 270 ++++++++++++++++++ generated/elasticsearch/6/template.json | 72 +++++ generated/elasticsearch/7/template.json | 72 +++++ generated/elasticsearch/component/client.json | 12 + .../elasticsearch/component/destination.json | 12 + generated/elasticsearch/component/host.json | 12 + .../elasticsearch/component/observer.json | 12 + generated/elasticsearch/component/server.json | 12 + generated/elasticsearch/component/source.json | 12 + schemas/geo.yml | 28 ++ 27 files changed, 1830 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index bc78ca8138..0cad5ab971 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -20,6 +20,7 @@ Thanks, you're awesome :-) --> * Added `http.request.id`. #1208 * Added `cloud.service.name`. #1204 * Added `hash.ssdeep`. #1169 +* Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229 #### Improvements diff --git a/code/go/ecs/geo.go b/code/go/ecs/geo.go index 89bfd81704..4033ac1d57 100644 --- a/code/go/ecs/geo.go +++ b/code/go/ecs/geo.go @@ -26,6 +26,9 @@ type Geo struct { // Longitude and latitude. Location string `ecs:"location"` + // Two-letter code representing continent's name. + ContinentCode string `ecs:"continent_code"` + // Name of the continent. ContinentName string `ecs:"continent_name"` @@ -41,9 +44,17 @@ type Geo struct { // Country ISO code. CountryIsoCode string `ecs:"country_iso_code"` + // Postal code associated with the location. + // Values appropriate for this field may also be known as a postcode or ZIP + // code and will vary widely from country to country. + PostalCode string `ecs:"postal_code"` + // Region ISO code. RegionIsoCode string `ecs:"region_iso_code"` + // The time zone of the location, such as IANA time zone name. + Timezone string `ecs:"timezone"` + // User-defined description of a location, at the level of granularity they // care about. // Could be the name of their data centers, the floor number, if this diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index b1d4dbe8be..64379b2aaf 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -2788,6 +2788,22 @@ example: `Montreal` // =============================================================== +| +[[field-geo-continent-code]] +<> + +| Two-letter code representing continent's name. + +type: keyword + + + +example: `NA` + +| core + +// =============================================================== + | [[field-geo-continent-name]] <> @@ -2872,6 +2888,24 @@ example: `boston-dc` // =============================================================== +| +[[field-geo-postal-code]] +<> + +| Postal code associated with the location. + +Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. + +type: keyword + + + +example: `94040` + +| core + +// =============================================================== + | [[field-geo-region-iso-code]] <> @@ -2904,6 +2938,22 @@ example: `Quebec` // =============================================================== +| +[[field-geo-timezone]] +<> + +| The time zone of the location, such as IANA time zone name. + +type: keyword + + + +example: `America/Argentina/Buenos_Aires` + +| core + +// =============================================================== + |===== [discrete] diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 23727e859f..8a88804d62 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -205,6 +205,13 @@ ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -239,6 +246,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -251,6 +268,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: ip level: core type: ip @@ -683,6 +707,13 @@ ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -717,6 +748,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -729,6 +770,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: ip level: core type: ip @@ -2007,6 +2055,13 @@ ignore_above: 1024 description: City name. example: Montreal + - name: continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: continent_name level: core type: keyword @@ -2041,6 +2096,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: region_iso_code level: core type: keyword @@ -2053,6 +2118,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: group title: Group group: 2 @@ -2173,6 +2245,13 @@ ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -2207,6 +2286,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -2219,6 +2308,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: hostname level: core type: wildcard @@ -2925,6 +3021,13 @@ ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -2959,6 +3062,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -2971,6 +3084,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: hostname level: core type: keyword @@ -4183,6 +4303,13 @@ ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -4217,6 +4344,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -4229,6 +4366,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: ip level: core type: ip @@ -4512,6 +4656,13 @@ ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -4546,6 +4697,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -4558,6 +4719,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: ip level: core type: ip diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index d7cded544d..cc2fce2539 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -16,13 +16,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. 1.9.0-dev+exp,true,client,client.domain,wildcard,core,,,Client domain. 1.9.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. 1.9.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. 1.9.0-dev+exp,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. 1.9.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client. 1.9.0-dev+exp,true,client,client.mac,keyword,core,,,MAC address of the client. 1.9.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address @@ -71,13 +74,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. 1.9.0-dev+exp,true,destination,destination.domain,wildcard,core,,,Destination domain. 1.9.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. 1.9.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. 1.9.0-dev+exp,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. 1.9.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination. 1.9.0-dev+exp,true,destination,destination.mac,keyword,core,,,MAC address of the destination. 1.9.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip @@ -241,13 +247,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. 1.9.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. 1.9.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. 1.9.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. 1.9.0-dev+exp,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code. 1.9.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host. 1.9.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id. 1.9.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses. @@ -332,13 +341,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. 1.9.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone 1.9.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code. 1.9.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. 1.9.0-dev+exp,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code. 1.9.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. 1.9.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information 1.9.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias @@ -484,13 +496,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. 1.9.0-dev+exp,true,server,server.domain,wildcard,core,,,Server domain. 1.9.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. 1.9.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. 1.9.0-dev+exp,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. 1.9.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server. 1.9.0-dev+exp,true,server,server.mac,keyword,core,,,MAC address of the server. 1.9.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip @@ -526,13 +541,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. 1.9.0-dev+exp,true,source,source.domain,wildcard,core,,,Source domain. 1.9.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. 1.9.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. 1.9.0-dev+exp,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. 1.9.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source. 1.9.0-dev+exp,true,source,source.mac,keyword,core,,,MAC address of the source. 1.9.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 4cab1099ae..2b4dc2772b 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -175,6 +175,18 @@ client.geo.city_name: original_fieldset: geo short: City name. type: keyword +client.geo.continent_code: + dashed_name: client-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: client.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword client.geo.continent_name: dashed_name: client-geo-continent-name description: Name of the continent. @@ -239,6 +251,21 @@ client.geo.name: original_fieldset: geo short: User-defined description of a location. type: wildcard +client.geo.postal_code: + dashed_name: client-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: client.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword client.geo.region_iso_code: dashed_name: client-geo-region-iso-code description: Region ISO code. @@ -263,6 +290,18 @@ client.geo.region_name: original_fieldset: geo short: Region name. type: keyword +client.geo.timezone: + dashed_name: client-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: client.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword client.ip: dashed_name: client-ip description: IP address of the client (IPv4 or IPv6). @@ -825,6 +864,18 @@ destination.geo.city_name: original_fieldset: geo short: City name. type: keyword +destination.geo.continent_code: + dashed_name: destination-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: destination.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword destination.geo.continent_name: dashed_name: destination-geo-continent-name description: Name of the continent. @@ -889,6 +940,21 @@ destination.geo.name: original_fieldset: geo short: User-defined description of a location. type: wildcard +destination.geo.postal_code: + dashed_name: destination-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: destination.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. @@ -913,6 +979,18 @@ destination.geo.region_name: original_fieldset: geo short: Region name. type: keyword +destination.geo.timezone: + dashed_name: destination-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: destination.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword destination.ip: dashed_name: destination-ip description: IP address of the destination (IPv4 or IPv6). @@ -3326,6 +3404,18 @@ host.geo.city_name: original_fieldset: geo short: City name. type: keyword +host.geo.continent_code: + dashed_name: host-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: host.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword host.geo.continent_name: dashed_name: host-geo-continent-name description: Name of the continent. @@ -3390,6 +3480,21 @@ host.geo.name: original_fieldset: geo short: User-defined description of a location. type: wildcard +host.geo.postal_code: + dashed_name: host-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: host.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword host.geo.region_iso_code: dashed_name: host-geo-region-iso-code description: Region ISO code. @@ -3414,6 +3519,18 @@ host.geo.region_name: original_fieldset: geo short: Region name. type: keyword +host.geo.timezone: + dashed_name: host-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: host.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword host.hostname: dashed_name: host-hostname description: 'Hostname of the host. @@ -4462,6 +4579,18 @@ observer.geo.city_name: original_fieldset: geo short: City name. type: keyword +observer.geo.continent_code: + dashed_name: observer-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: observer.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword observer.geo.continent_name: dashed_name: observer-geo-continent-name description: Name of the continent. @@ -4526,6 +4655,21 @@ observer.geo.name: original_fieldset: geo short: User-defined description of a location. type: wildcard +observer.geo.postal_code: + dashed_name: observer-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: observer.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword observer.geo.region_iso_code: dashed_name: observer-geo-region-iso-code description: Region ISO code. @@ -4550,6 +4694,18 @@ observer.geo.region_name: original_fieldset: geo short: Region name. type: keyword +observer.geo.timezone: + dashed_name: observer-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: observer.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword observer.hostname: dashed_name: observer-hostname description: Hostname of the observer. @@ -6208,6 +6364,18 @@ server.geo.city_name: original_fieldset: geo short: City name. type: keyword +server.geo.continent_code: + dashed_name: server-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: server.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword server.geo.continent_name: dashed_name: server-geo-continent-name description: Name of the continent. @@ -6272,6 +6440,21 @@ server.geo.name: original_fieldset: geo short: User-defined description of a location. type: wildcard +server.geo.postal_code: + dashed_name: server-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: server.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword server.geo.region_iso_code: dashed_name: server-geo-region-iso-code description: Region ISO code. @@ -6296,6 +6479,18 @@ server.geo.region_name: original_fieldset: geo short: Region name. type: keyword +server.geo.timezone: + dashed_name: server-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: server.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword server.ip: dashed_name: server-ip description: IP address of the server (IPv4 or IPv6). @@ -6727,6 +6922,18 @@ source.geo.city_name: original_fieldset: geo short: City name. type: keyword +source.geo.continent_code: + dashed_name: source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword source.geo.continent_name: dashed_name: source-geo-continent-name description: Name of the continent. @@ -6791,6 +6998,21 @@ source.geo.name: original_fieldset: geo short: User-defined description of a location. type: wildcard +source.geo.postal_code: + dashed_name: source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. @@ -6815,6 +7037,18 @@ source.geo.region_name: original_fieldset: geo short: Region name. type: keyword +source.geo.timezone: + dashed_name: source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword source.ip: dashed_name: source-ip description: IP address of the source (IPv4 or IPv6). diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index ef1e3567d2..878d68757c 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -320,6 +320,18 @@ client: original_fieldset: geo short: City name. type: keyword + client.geo.continent_code: + dashed_name: client-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: client.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword client.geo.continent_name: dashed_name: client-geo-continent-name description: Name of the continent. @@ -384,6 +396,21 @@ client: original_fieldset: geo short: User-defined description of a location. type: wildcard + client.geo.postal_code: + dashed_name: client-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: client.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword client.geo.region_iso_code: dashed_name: client-geo-region-iso-code description: Region ISO code. @@ -408,6 +435,18 @@ client: original_fieldset: geo short: Region name. type: keyword + client.geo.timezone: + dashed_name: client-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: client.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword client.ip: dashed_name: client-ip description: IP address of the client (IPv4 or IPv6). @@ -1135,6 +1174,18 @@ destination: original_fieldset: geo short: City name. type: keyword + destination.geo.continent_code: + dashed_name: destination-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: destination.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword destination.geo.continent_name: dashed_name: destination-geo-continent-name description: Name of the continent. @@ -1199,6 +1250,21 @@ destination: original_fieldset: geo short: User-defined description of a location. type: wildcard + destination.geo.postal_code: + dashed_name: destination-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: destination.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. @@ -1223,6 +1289,18 @@ destination: original_fieldset: geo short: Region name. type: keyword + destination.geo.timezone: + dashed_name: destination-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: destination.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword destination.ip: dashed_name: destination-ip description: IP address of the destination (IPv4 or IPv6). @@ -3711,6 +3789,17 @@ geo: normalize: [] short: City name. type: keyword + geo.continent_code: + dashed_name: geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + short: Continent code. + type: keyword geo.continent_name: dashed_name: geo-continent-name description: Name of the continent. @@ -3770,6 +3859,20 @@ geo: normalize: [] short: User-defined description of a location. type: wildcard + geo.postal_code: + dashed_name: geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + short: Postal code. + type: keyword geo.region_iso_code: dashed_name: geo-region-iso-code description: Region ISO code. @@ -3792,6 +3895,17 @@ geo: normalize: [] short: Region name. type: keyword + geo.timezone: + dashed_name: geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + short: Time zone. + type: keyword group: 2 name: geo prefix: geo. @@ -4026,6 +4140,18 @@ host: original_fieldset: geo short: City name. type: keyword + host.geo.continent_code: + dashed_name: host-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: host.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword host.geo.continent_name: dashed_name: host-geo-continent-name description: Name of the continent. @@ -4090,6 +4216,21 @@ host: original_fieldset: geo short: User-defined description of a location. type: wildcard + host.geo.postal_code: + dashed_name: host-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: host.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword host.geo.region_iso_code: dashed_name: host-geo-region-iso-code description: Region ISO code. @@ -4114,6 +4255,18 @@ host: original_fieldset: geo short: Region name. type: keyword + host.geo.timezone: + dashed_name: host-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: host.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword host.hostname: dashed_name: host-hostname description: 'Hostname of the host. @@ -5280,6 +5433,18 @@ observer: original_fieldset: geo short: City name. type: keyword + observer.geo.continent_code: + dashed_name: observer-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: observer.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword observer.geo.continent_name: dashed_name: observer-geo-continent-name description: Name of the continent. @@ -5344,6 +5509,21 @@ observer: original_fieldset: geo short: User-defined description of a location. type: wildcard + observer.geo.postal_code: + dashed_name: observer-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: observer.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword observer.geo.region_iso_code: dashed_name: observer-geo-region-iso-code description: Region ISO code. @@ -5368,6 +5548,18 @@ observer: original_fieldset: geo short: Region name. type: keyword + observer.geo.timezone: + dashed_name: observer-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: observer.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword observer.hostname: dashed_name: observer-hostname description: Hostname of the observer. @@ -7399,6 +7591,18 @@ server: original_fieldset: geo short: City name. type: keyword + server.geo.continent_code: + dashed_name: server-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: server.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword server.geo.continent_name: dashed_name: server-geo-continent-name description: Name of the continent. @@ -7463,6 +7667,21 @@ server: original_fieldset: geo short: User-defined description of a location. type: wildcard + server.geo.postal_code: + dashed_name: server-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: server.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword server.geo.region_iso_code: dashed_name: server-geo-region-iso-code description: Region ISO code. @@ -7487,6 +7706,18 @@ server: original_fieldset: geo short: Region name. type: keyword + server.geo.timezone: + dashed_name: server-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: server.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword server.ip: dashed_name: server-ip description: IP address of the server (IPv4 or IPv6). @@ -7962,6 +8193,18 @@ source: original_fieldset: geo short: City name. type: keyword + source.geo.continent_code: + dashed_name: source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword source.geo.continent_name: dashed_name: source-geo-continent-name description: Name of the continent. @@ -8026,6 +8269,21 @@ source: original_fieldset: geo short: User-defined description of a location. type: wildcard + source.geo.postal_code: + dashed_name: source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. @@ -8050,6 +8308,18 @@ source: original_fieldset: geo short: Region name. type: keyword + source.geo.timezone: + dashed_name: source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword source.ip: dashed_name: source-ip description: IP address of the source (IPv4 or IPv6). diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index aebee4c182..451c03c849 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -91,6 +91,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -109,6 +113,10 @@ "name": { "type": "wildcard" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -116,6 +124,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -362,6 +374,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -380,6 +396,10 @@ "name": { "type": "wildcard" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -387,6 +407,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1111,6 +1135,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -1129,6 +1157,10 @@ "name": { "type": "wildcard" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -1136,6 +1168,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1564,6 +1600,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -1582,6 +1622,10 @@ "name": { "type": "wildcard" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -1589,6 +1633,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -2241,6 +2289,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -2259,6 +2311,10 @@ "name": { "type": "wildcard" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -2266,6 +2322,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -2436,6 +2496,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -2454,6 +2518,10 @@ "name": { "type": "wildcard" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -2461,6 +2529,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/experimental/generated/elasticsearch/component/client.json b/experimental/generated/elasticsearch/component/client.json index bb1003070f..df7ef337a3 100644 --- a/experimental/generated/elasticsearch/component/client.json +++ b/experimental/generated/elasticsearch/component/client.json @@ -44,6 +44,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -62,6 +66,10 @@ "name": { "type": "wildcard" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -69,6 +77,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/experimental/generated/elasticsearch/component/destination.json b/experimental/generated/elasticsearch/component/destination.json index be3448e658..cff46d3ea5 100644 --- a/experimental/generated/elasticsearch/component/destination.json +++ b/experimental/generated/elasticsearch/component/destination.json @@ -44,6 +44,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -62,6 +66,10 @@ "name": { "type": "wildcard" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -69,6 +77,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/experimental/generated/elasticsearch/component/host.json b/experimental/generated/elasticsearch/component/host.json index f5645b0920..2d503d0b39 100644 --- a/experimental/generated/elasticsearch/component/host.json +++ b/experimental/generated/elasticsearch/component/host.json @@ -48,6 +48,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -66,6 +70,10 @@ "name": { "type": "wildcard" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -73,6 +81,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/experimental/generated/elasticsearch/component/observer.json b/experimental/generated/elasticsearch/component/observer.json index bc53052962..6a36b4bbaf 100644 --- a/experimental/generated/elasticsearch/component/observer.json +++ b/experimental/generated/elasticsearch/component/observer.json @@ -51,6 +51,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -69,6 +73,10 @@ "name": { "type": "wildcard" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -76,6 +84,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/experimental/generated/elasticsearch/component/server.json b/experimental/generated/elasticsearch/component/server.json index 16cd5781f8..6bb1f55c3c 100644 --- a/experimental/generated/elasticsearch/component/server.json +++ b/experimental/generated/elasticsearch/component/server.json @@ -44,6 +44,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -62,6 +66,10 @@ "name": { "type": "wildcard" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -69,6 +77,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/experimental/generated/elasticsearch/component/source.json b/experimental/generated/elasticsearch/component/source.json index 43edaf2f09..9832312beb 100644 --- a/experimental/generated/elasticsearch/component/source.json +++ b/experimental/generated/elasticsearch/component/source.json @@ -44,6 +44,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -62,6 +66,10 @@ "name": { "type": "wildcard" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -69,6 +77,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 1c6cea3a9a..66a0122ae4 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -209,6 +209,13 @@ ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -244,6 +251,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -256,6 +273,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: ip level: core type: ip @@ -642,6 +666,13 @@ ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -677,6 +708,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -689,6 +730,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: ip level: core type: ip @@ -1983,6 +2031,13 @@ ignore_above: 1024 description: City name. example: Montreal + - name: continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: continent_name level: core type: keyword @@ -2018,6 +2073,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: region_iso_code level: core type: keyword @@ -2030,6 +2095,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: group title: Group group: 2 @@ -2128,6 +2200,13 @@ ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -2163,6 +2242,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -2175,6 +2264,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: hostname level: core type: keyword @@ -2868,6 +2964,13 @@ ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -2903,6 +3006,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -2915,6 +3028,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: hostname level: core type: keyword @@ -4152,6 +4272,13 @@ ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -4187,6 +4314,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -4199,6 +4336,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: ip level: core type: ip @@ -4488,6 +4632,13 @@ ignore_above: 1024 description: City name. example: Montreal + - name: geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false - name: geo.continent_name level: core type: keyword @@ -4523,6 +4674,16 @@ Not typically used in automated geolocation.' example: boston-dc + - name: geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false - name: geo.region_iso_code level: core type: keyword @@ -4535,6 +4696,13 @@ ignore_above: 1024 description: Region name. example: Quebec + - name: geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false - name: ip level: core type: ip diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index a71bdc558e..87ddec0d0d 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -16,13 +16,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. 1.9.0-dev,true,client,client.domain,keyword,core,,,Client domain. 1.9.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. 1.9.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. 1.9.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. 1.9.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev,true,client,client.ip,ip,core,,,IP address of the client. 1.9.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. 1.9.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address @@ -68,13 +71,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. 1.9.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain. 1.9.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. 1.9.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. 1.9.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. 1.9.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. 1.9.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. 1.9.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip @@ -235,13 +241,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. 1.9.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. 1.9.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. 1.9.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. 1.9.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code. 1.9.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host. 1.9.0-dev,true,host,host.id,keyword,core,,,Unique host id. 1.9.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. @@ -322,13 +331,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. 1.9.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone 1.9.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code. 1.9.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. 1.9.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code. 1.9.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. 1.9.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information 1.9.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias @@ -474,13 +486,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. 1.9.0-dev,true,server,server.domain,keyword,core,,,Server domain. 1.9.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. 1.9.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. 1.9.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. 1.9.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev,true,server,server.ip,ip,core,,,IP address of the server. 1.9.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. 1.9.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip @@ -516,13 +531,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. 1.9.0-dev,true,source,source.domain,keyword,core,,,Source domain. 1.9.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. 1.9.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. 1.9.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. 1.9.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. 1.9.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. 1.9.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.9.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. 1.9.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 1.9.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev,true,source,source.ip,ip,core,,,IP address of the source. 1.9.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. 1.9.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 1af94d22d3..44aa7b170f 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -178,6 +178,18 @@ client.geo.city_name: original_fieldset: geo short: City name. type: keyword +client.geo.continent_code: + dashed_name: client-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: client.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword client.geo.continent_name: dashed_name: client-geo-continent-name description: Name of the continent. @@ -243,6 +255,21 @@ client.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword +client.geo.postal_code: + dashed_name: client-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: client.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword client.geo.region_iso_code: dashed_name: client-geo-region-iso-code description: Region ISO code. @@ -267,6 +294,18 @@ client.geo.region_name: original_fieldset: geo short: Region name. type: keyword +client.geo.timezone: + dashed_name: client-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: client.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword client.ip: dashed_name: client-ip description: IP address of the client (IPv4 or IPv6). @@ -789,6 +828,18 @@ destination.geo.city_name: original_fieldset: geo short: City name. type: keyword +destination.geo.continent_code: + dashed_name: destination-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: destination.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword destination.geo.continent_name: dashed_name: destination-geo-continent-name description: Name of the continent. @@ -854,6 +905,21 @@ destination.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword +destination.geo.postal_code: + dashed_name: destination-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: destination.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. @@ -878,6 +944,18 @@ destination.geo.region_name: original_fieldset: geo short: Region name. type: keyword +destination.geo.timezone: + dashed_name: destination-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: destination.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword destination.ip: dashed_name: destination-ip description: IP address of the destination (IPv4 or IPv6). @@ -3274,6 +3352,18 @@ host.geo.city_name: original_fieldset: geo short: City name. type: keyword +host.geo.continent_code: + dashed_name: host-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: host.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword host.geo.continent_name: dashed_name: host-geo-continent-name description: Name of the continent. @@ -3339,6 +3429,21 @@ host.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword +host.geo.postal_code: + dashed_name: host-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: host.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword host.geo.region_iso_code: dashed_name: host-geo-region-iso-code description: Region ISO code. @@ -3363,6 +3468,18 @@ host.geo.region_name: original_fieldset: geo short: Region name. type: keyword +host.geo.timezone: + dashed_name: host-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: host.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword host.hostname: dashed_name: host-hostname description: 'Hostname of the host. @@ -4382,6 +4499,18 @@ observer.geo.city_name: original_fieldset: geo short: City name. type: keyword +observer.geo.continent_code: + dashed_name: observer-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: observer.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword observer.geo.continent_name: dashed_name: observer-geo-continent-name description: Name of the continent. @@ -4447,6 +4576,21 @@ observer.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword +observer.geo.postal_code: + dashed_name: observer-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: observer.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword observer.geo.region_iso_code: dashed_name: observer-geo-region-iso-code description: Region ISO code. @@ -4471,6 +4615,18 @@ observer.geo.region_name: original_fieldset: geo short: Region name. type: keyword +observer.geo.timezone: + dashed_name: observer-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: observer.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword observer.hostname: dashed_name: observer-hostname description: Hostname of the observer. @@ -6151,6 +6307,18 @@ server.geo.city_name: original_fieldset: geo short: City name. type: keyword +server.geo.continent_code: + dashed_name: server-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: server.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword server.geo.continent_name: dashed_name: server-geo-continent-name description: Name of the continent. @@ -6216,6 +6384,21 @@ server.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword +server.geo.postal_code: + dashed_name: server-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: server.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword server.geo.region_iso_code: dashed_name: server-geo-region-iso-code description: Region ISO code. @@ -6240,6 +6423,18 @@ server.geo.region_name: original_fieldset: geo short: Region name. type: keyword +server.geo.timezone: + dashed_name: server-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: server.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword server.ip: dashed_name: server-ip description: IP address of the server (IPv4 or IPv6). @@ -6677,6 +6872,18 @@ source.geo.city_name: original_fieldset: geo short: City name. type: keyword +source.geo.continent_code: + dashed_name: source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword source.geo.continent_name: dashed_name: source-geo-continent-name description: Name of the continent. @@ -6742,6 +6949,21 @@ source.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword +source.geo.postal_code: + dashed_name: source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. @@ -6766,6 +6988,18 @@ source.geo.region_name: original_fieldset: geo short: Region name. type: keyword +source.geo.timezone: + dashed_name: source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword source.ip: dashed_name: source-ip description: IP address of the source (IPv4 or IPv6). diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index a3934fd463..d550ec8cc6 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -324,6 +324,18 @@ client: original_fieldset: geo short: City name. type: keyword + client.geo.continent_code: + dashed_name: client-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: client.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword client.geo.continent_name: dashed_name: client-geo-continent-name description: Name of the continent. @@ -389,6 +401,21 @@ client: original_fieldset: geo short: User-defined description of a location. type: keyword + client.geo.postal_code: + dashed_name: client-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: client.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword client.geo.region_iso_code: dashed_name: client-geo-region-iso-code description: Region ISO code. @@ -413,6 +440,18 @@ client: original_fieldset: geo short: Region name. type: keyword + client.geo.timezone: + dashed_name: client-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: client.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword client.ip: dashed_name: client-ip description: IP address of the client (IPv4 or IPv6). @@ -1077,6 +1116,18 @@ destination: original_fieldset: geo short: City name. type: keyword + destination.geo.continent_code: + dashed_name: destination-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: destination.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword destination.geo.continent_name: dashed_name: destination-geo-continent-name description: Name of the continent. @@ -1142,6 +1193,21 @@ destination: original_fieldset: geo short: User-defined description of a location. type: keyword + destination.geo.postal_code: + dashed_name: destination-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: destination.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword destination.geo.region_iso_code: dashed_name: destination-geo-region-iso-code description: Region ISO code. @@ -1166,6 +1232,18 @@ destination: original_fieldset: geo short: Region name. type: keyword + destination.geo.timezone: + dashed_name: destination-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: destination.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword destination.ip: dashed_name: destination-ip description: IP address of the destination (IPv4 or IPv6). @@ -3671,6 +3749,17 @@ geo: normalize: [] short: City name. type: keyword + geo.continent_code: + dashed_name: geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + short: Continent code. + type: keyword geo.continent_name: dashed_name: geo-continent-name description: Name of the continent. @@ -3731,6 +3820,20 @@ geo: normalize: [] short: User-defined description of a location. type: keyword + geo.postal_code: + dashed_name: geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + short: Postal code. + type: keyword geo.region_iso_code: dashed_name: geo-region-iso-code description: Region ISO code. @@ -3753,6 +3856,17 @@ geo: normalize: [] short: Region name. type: keyword + geo.timezone: + dashed_name: geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + short: Time zone. + type: keyword group: 2 name: geo prefix: geo. @@ -3953,6 +4067,18 @@ host: original_fieldset: geo short: City name. type: keyword + host.geo.continent_code: + dashed_name: host-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: host.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword host.geo.continent_name: dashed_name: host-geo-continent-name description: Name of the continent. @@ -4018,6 +4144,21 @@ host: original_fieldset: geo short: User-defined description of a location. type: keyword + host.geo.postal_code: + dashed_name: host-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: host.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword host.geo.region_iso_code: dashed_name: host-geo-region-iso-code description: Region ISO code. @@ -4042,6 +4183,18 @@ host: original_fieldset: geo short: Region name. type: keyword + host.geo.timezone: + dashed_name: host-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: host.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword host.hostname: dashed_name: host-hostname description: 'Hostname of the host. @@ -5179,6 +5332,18 @@ observer: original_fieldset: geo short: City name. type: keyword + observer.geo.continent_code: + dashed_name: observer-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: observer.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword observer.geo.continent_name: dashed_name: observer-geo-continent-name description: Name of the continent. @@ -5244,6 +5409,21 @@ observer: original_fieldset: geo short: User-defined description of a location. type: keyword + observer.geo.postal_code: + dashed_name: observer-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: observer.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword observer.geo.region_iso_code: dashed_name: observer-geo-region-iso-code description: Region ISO code. @@ -5268,6 +5448,18 @@ observer: original_fieldset: geo short: Region name. type: keyword + observer.geo.timezone: + dashed_name: observer-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: observer.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword observer.hostname: dashed_name: observer-hostname description: Hostname of the observer. @@ -7324,6 +7516,18 @@ server: original_fieldset: geo short: City name. type: keyword + server.geo.continent_code: + dashed_name: server-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: server.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword server.geo.continent_name: dashed_name: server-geo-continent-name description: Name of the continent. @@ -7389,6 +7593,21 @@ server: original_fieldset: geo short: User-defined description of a location. type: keyword + server.geo.postal_code: + dashed_name: server-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: server.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword server.geo.region_iso_code: dashed_name: server-geo-region-iso-code description: Region ISO code. @@ -7413,6 +7632,18 @@ server: original_fieldset: geo short: Region name. type: keyword + server.geo.timezone: + dashed_name: server-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: server.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword server.ip: dashed_name: server-ip description: IP address of the server (IPv4 or IPv6). @@ -7894,6 +8125,18 @@ source: original_fieldset: geo short: City name. type: keyword + source.geo.continent_code: + dashed_name: source-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: source.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword source.geo.continent_name: dashed_name: source-geo-continent-name description: Name of the continent. @@ -7959,6 +8202,21 @@ source: original_fieldset: geo short: User-defined description of a location. type: keyword + source.geo.postal_code: + dashed_name: source-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: source.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword source.geo.region_iso_code: dashed_name: source-geo-region-iso-code description: Region ISO code. @@ -7983,6 +8241,18 @@ source: original_fieldset: geo short: Region name. type: keyword + source.geo.timezone: + dashed_name: source-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: source.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword source.ip: dashed_name: source-ip description: IP address of the source (IPv4 or IPv6). diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 5d91ba5198..15708392e3 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -95,6 +95,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -114,6 +118,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -121,6 +129,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -360,6 +372,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -379,6 +395,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -386,6 +406,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1101,6 +1125,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -1120,6 +1148,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -1127,6 +1159,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1542,6 +1578,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -1561,6 +1601,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -1568,6 +1612,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -2242,6 +2290,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -2261,6 +2313,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -2268,6 +2324,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -2444,6 +2504,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -2463,6 +2527,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -2470,6 +2538,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 04000cc76a..083546847a 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -94,6 +94,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -113,6 +117,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -120,6 +128,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -359,6 +371,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -378,6 +394,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -385,6 +405,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1100,6 +1124,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -1119,6 +1147,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -1126,6 +1158,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1541,6 +1577,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -1560,6 +1600,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -1567,6 +1611,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -2241,6 +2289,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -2260,6 +2312,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -2267,6 +2323,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -2443,6 +2503,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -2462,6 +2526,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -2469,6 +2537,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/elasticsearch/component/client.json b/generated/elasticsearch/component/client.json index 4813913258..59e1c4fac5 100644 --- a/generated/elasticsearch/component/client.json +++ b/generated/elasticsearch/component/client.json @@ -46,6 +46,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -65,6 +69,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -72,6 +80,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/elasticsearch/component/destination.json b/generated/elasticsearch/component/destination.json index c73b493e86..d7babcf058 100644 --- a/generated/elasticsearch/component/destination.json +++ b/generated/elasticsearch/component/destination.json @@ -46,6 +46,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -65,6 +69,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -72,6 +80,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json index 3d0b3a8cf8..e371893cf8 100644 --- a/generated/elasticsearch/component/host.json +++ b/generated/elasticsearch/component/host.json @@ -22,6 +22,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -41,6 +45,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -48,6 +56,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/elasticsearch/component/observer.json b/generated/elasticsearch/component/observer.json index 049625241b..d4be55d415 100644 --- a/generated/elasticsearch/component/observer.json +++ b/generated/elasticsearch/component/observer.json @@ -51,6 +51,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -70,6 +74,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -77,6 +85,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/elasticsearch/component/server.json b/generated/elasticsearch/component/server.json index bdd746f660..d824559d6c 100644 --- a/generated/elasticsearch/component/server.json +++ b/generated/elasticsearch/component/server.json @@ -46,6 +46,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -65,6 +69,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -72,6 +80,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/generated/elasticsearch/component/source.json b/generated/elasticsearch/component/source.json index cb236d53f0..d6b6bd2048 100644 --- a/generated/elasticsearch/component/source.json +++ b/generated/elasticsearch/component/source.json @@ -46,6 +46,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -65,6 +69,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -72,6 +80,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, diff --git a/schemas/geo.yml b/schemas/geo.yml index 347d60829e..fef496097b 100644 --- a/schemas/geo.yml +++ b/schemas/geo.yml @@ -27,6 +27,14 @@ Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: continent_code + level: core + type: keyword + short: Continent code. + description: > + Two-letter code representing continent's name. + example: NA + - name: continent_name level: core type: keyword @@ -62,6 +70,18 @@ Country ISO code. example: CA + - name: postal_code + level: core + type: keyword + short: Postal code. + description: > + Postal code associated with the location. + + Values appropriate for this field may also be known + as a postcode or ZIP code and will vary widely from + country to country. + example: 94040 + - name: region_iso_code level: core type: keyword @@ -69,6 +89,14 @@ Region ISO code. example: CA-QC + - name: timezone + level: core + type: keyword + short: Time zone. + description: > + The time zone of the location, such as IANA time zone name. + example: "America/Argentina/Buenos_Aires" + - name: name level: extended type: keyword From 9006c8d201de6ae3f86a10d1cc3e0d01b1ed13c7 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 11 Feb 2021 12:05:04 -0600 Subject: [PATCH 76/90] Specify MAC address format (#456) (#1260) Co-authored-by: Robin Schneider <36660054+ypid-geberit@users.noreply.github.com> --- CHANGELOG.next.md | 2 + code/go/ecs/client.go | 4 ++ code/go/ecs/destination.go | 4 ++ code/go/ecs/host.go | 6 +- code/go/ecs/observer.go | 18 +++--- code/go/ecs/server.go | 4 ++ code/go/ecs/source.go | 4 ++ docs/field-details.asciidoc | 36 +++++++---- experimental/generated/beats/fields.ecs.yml | 64 ++++++++++++++----- experimental/generated/csv/fields.csv | 12 ++-- experimental/generated/ecs/ecs_flat.yml | 59 +++++++++++++----- experimental/generated/ecs/ecs_nested.yml | 68 ++++++++++++++++----- generated/beats/fields.ecs.yml | 64 ++++++++++++++----- generated/csv/fields.csv | 12 ++-- generated/ecs/ecs_flat.yml | 59 +++++++++++++----- generated/ecs/ecs_nested.yml | 68 ++++++++++++++++----- schemas/client.yml | 7 +++ schemas/destination.yml | 7 +++ schemas/host.yml | 9 ++- schemas/observer.yml | 23 ++++--- schemas/server.yml | 7 +++ schemas/source.yml | 7 +++ 22 files changed, 413 insertions(+), 131 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 0cad5ab971..2d597ed044 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -24,6 +24,8 @@ Thanks, you're awesome :-) --> #### Improvements +* Include formatting guidance and examples for MAC address fields. #456 + #### Deprecated diff --git a/code/go/ecs/client.go b/code/go/ecs/client.go index 9c6336d4bf..0942961b91 100644 --- a/code/go/ecs/client.go +++ b/code/go/ecs/client.go @@ -47,6 +47,10 @@ type Client struct { Port int64 `ecs:"port"` // MAC address of the client. + // The notation format from RFC 7042 is suggested: Each octet (that is, + // 8-bit byte) is represented by two [uppercase] hexadecimal digits giving + // the value of the octet as an unsigned integer. Successive octets are + // separated by a hyphen. MAC string `ecs:"mac"` // Client domain. diff --git a/code/go/ecs/destination.go b/code/go/ecs/destination.go index 1985e8720b..0d53a18d4b 100644 --- a/code/go/ecs/destination.go +++ b/code/go/ecs/destination.go @@ -43,6 +43,10 @@ type Destination struct { Port int64 `ecs:"port"` // MAC address of the destination. + // The notation format from RFC 7042 is suggested: Each octet (that is, + // 8-bit byte) is represented by two [uppercase] hexadecimal digits giving + // the value of the octet as an unsigned integer. Successive octets are + // separated by a hyphen. MAC string `ecs:"mac"` // Destination domain. diff --git a/code/go/ecs/host.go b/code/go/ecs/host.go index 1d66d78832..f3afb6b871 100644 --- a/code/go/ecs/host.go +++ b/code/go/ecs/host.go @@ -44,7 +44,11 @@ type Host struct { // Host ip addresses. IP string `ecs:"ip"` - // Host mac addresses. + // Host MAC addresses. + // The notation format from RFC 7042 is suggested: Each octet (that is, + // 8-bit byte) is represented by two [uppercase] hexadecimal digits giving + // the value of the octet as an unsigned integer. Successive octets are + // separated by a hyphen. MAC string `ecs:"mac"` // Type of host. diff --git a/code/go/ecs/observer.go b/code/go/ecs/observer.go index a7459aa11a..84eb2d0545 100644 --- a/code/go/ecs/observer.go +++ b/code/go/ecs/observer.go @@ -32,7 +32,11 @@ package ecs // and ETL components used in processing events or metrics are not considered // observers in ECS. type Observer struct { - // MAC addresses of the observer + // MAC addresses of the observer. + // The notation format from RFC 7042 is suggested: Each octet (that is, + // 8-bit byte) is represented by two [uppercase] hexadecimal digits giving + // the value of the octet as an unsigned integer. Successive octets are + // separated by a hyphen. MAC string `ecs:"mac"` // IP addresses of the observer. @@ -67,24 +71,24 @@ type Observer struct { Type string `ecs:"type"` // Observer.ingress holds information like interface number and name, vlan, - // and zone information to classify ingress traffic. Single armed - // monitoring such as a network sensor on a span port should only use + // and zone information to classify ingress traffic. Single armed + // monitoring such as a network sensor on a span port should only use // observer.ingress to categorize traffic. Ingress map[string]interface{} `ecs:"ingress"` // Network zone of incoming traffic as reported by the observer to - // categorize the source area of ingress traffic. e.g. internal, External, + // categorize the source area of ingress traffic. e.g. internal, External, // DMZ, HR, Legal, etc. IngressZone string `ecs:"ingress.zone"` // Observer.egress holds information like interface number and name, vlan, - // and zone information to classify egress traffic. Single armed - // monitoring such as a network sensor on a span port should only use + // and zone information to classify egress traffic. Single armed + // monitoring such as a network sensor on a span port should only use // observer.ingress to categorize traffic. Egress map[string]interface{} `ecs:"egress"` // Network zone of outbound traffic as reported by the observer to - // categorize the destination area of egress traffic, e.g. Internal, + // categorize the destination area of egress traffic, e.g. Internal, // External, DMZ, HR, Legal, etc. EgressZone string `ecs:"egress.zone"` } diff --git a/code/go/ecs/server.go b/code/go/ecs/server.go index bc395a115c..dfd43b0f0a 100644 --- a/code/go/ecs/server.go +++ b/code/go/ecs/server.go @@ -47,6 +47,10 @@ type Server struct { Port int64 `ecs:"port"` // MAC address of the server. + // The notation format from RFC 7042 is suggested: Each octet (that is, + // 8-bit byte) is represented by two [uppercase] hexadecimal digits giving + // the value of the octet as an unsigned integer. Successive octets are + // separated by a hyphen. MAC string `ecs:"mac"` // Server domain. diff --git a/code/go/ecs/source.go b/code/go/ecs/source.go index 3e4becbbbd..d407ee5d20 100644 --- a/code/go/ecs/source.go +++ b/code/go/ecs/source.go @@ -43,6 +43,10 @@ type Source struct { Port int64 `ecs:"port"` // MAC address of the source. + // The notation format from RFC 7042 is suggested: Each octet (that is, + // 8-bit byte) is represented by two [uppercase] hexadecimal digits giving + // the value of the octet as an unsigned integer. Successive octets are + // separated by a hyphen. MAC string `ecs:"mac"` // Source domain. diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 64379b2aaf..12cfbc5870 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -375,11 +375,13 @@ type: ip | MAC address of the client. -type: keyword +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. +type: keyword +example: `00-00-5E-00-53-23` | core @@ -1067,11 +1069,13 @@ type: ip | MAC address of the destination. -type: keyword +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. +type: keyword +example: `00-00-5E-00-53-23` | core @@ -3263,7 +3267,9 @@ Note: this field should contain an array of values. [[field-host-mac]] <> -| Host mac addresses. +| Host MAC addresses. + +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. type: keyword @@ -3272,7 +3278,7 @@ Note: this field should contain an array of values. - +example: `["00-00-5E-00-53-23", "00-00-5E-00-53-24"]` | core @@ -4238,7 +4244,7 @@ This could be a custom hardware appliance or a server that has been configured t [[field-observer-egress]] <> -| Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. +| Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. type: object @@ -4254,7 +4260,7 @@ type: object [[field-observer-egress-zone]] <> -| Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. +| Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. type: keyword @@ -4286,7 +4292,7 @@ type: keyword [[field-observer-ingress]] <> -| Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. +| Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. type: object @@ -4302,7 +4308,7 @@ type: object [[field-observer-ingress-zone]] <> -| Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. +| Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. type: keyword @@ -4337,7 +4343,9 @@ Note: this field should contain an array of values. [[field-observer-mac]] <> -| MAC addresses of the observer +| MAC addresses of the observer. + +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. type: keyword @@ -4346,7 +4354,7 @@ Note: this field should contain an array of values. - +example: `["00-00-5E-00-53-23", "00-00-5E-00-53-24"]` | core @@ -5965,11 +5973,13 @@ type: ip | MAC address of the server. -type: keyword +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. +type: keyword +example: `00-00-5E-00-53-23` | core @@ -6376,11 +6386,13 @@ type: ip | MAC address of the source. -type: keyword +The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. +type: keyword +example: `00-00-5E-00-53-23` | core diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 8a88804d62..841d63b442 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -283,7 +283,13 @@ level: core type: keyword ignore_above: 1024 - description: MAC address of the client. + description: 'MAC address of the client. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip @@ -785,7 +791,13 @@ level: core type: keyword ignore_above: 1024 - description: MAC address of the destination. + description: 'MAC address of the destination. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip @@ -2338,7 +2350,13 @@ level: core type: keyword ignore_above: 1024 - description: Host mac addresses. + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - name: name level: core type: keyword @@ -2965,9 +2983,9 @@ level: extended type: object description: Observer.egress holds information like interface number and name, - vlan, and zone information to classify egress traffic. Single armed monitoring - such as a network sensor on a span port should only use observer.ingress - to categorize traffic. + vlan, and zone information to classify egress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress to + categorize traffic. default_field: false - name: egress.interface.alias level: extended @@ -3011,7 +3029,7 @@ type: keyword ignore_above: 1024 description: Network zone of outbound traffic as reported by the observer to - categorize the destination area of egress traffic, e.g. Internal, External, + categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. example: Public_Internet default_field: false @@ -3100,9 +3118,9 @@ level: extended type: object description: Observer.ingress holds information like interface number and name, - vlan, and zone information to classify ingress traffic. Single armed monitoring - such as a network sensor on a span port should only use observer.ingress - to categorize traffic. + vlan, and zone information to classify ingress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress to + categorize traffic. default_field: false - name: ingress.interface.alias level: extended @@ -3146,7 +3164,7 @@ type: keyword ignore_above: 1024 description: Network zone of incoming traffic as reported by the observer to - categorize the source area of ingress traffic. e.g. internal, External, DMZ, + categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. example: DMZ default_field: false @@ -3158,7 +3176,13 @@ level: core type: keyword ignore_above: 1024 - description: MAC addresses of the observer + description: 'MAC addresses of the observer. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - name: name level: extended type: keyword @@ -4381,7 +4405,13 @@ level: core type: keyword ignore_above: 1024 - description: MAC address of the server. + description: 'MAC address of the server. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip @@ -4734,7 +4764,13 @@ level: core type: keyword ignore_above: 1024 - description: MAC address of the source. + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index cc2fce2539..2ab59c260c 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -27,7 +27,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. 1.9.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client. -1.9.0-dev+exp,true,client,client.mac,keyword,core,,,MAC address of the client. +1.9.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. 1.9.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address 1.9.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port 1.9.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server. @@ -85,7 +85,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. 1.9.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination. -1.9.0-dev+exp,true,destination,destination.mac,keyword,core,,,MAC address of the destination. +1.9.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. 1.9.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip 1.9.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port 1.9.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. @@ -260,7 +260,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host. 1.9.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id. 1.9.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses. -1.9.0-dev+exp,true,host,host.mac,keyword,core,array,,Host mac addresses. +1.9.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. 1.9.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host. 1.9.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. 1.9.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. @@ -360,7 +360,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. 1.9.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone 1.9.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -1.9.0-dev+exp,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer +1.9.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer. 1.9.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. 1.9.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 1.9.0-dev+exp,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -507,7 +507,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. 1.9.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server. -1.9.0-dev+exp,true,server,server.mac,keyword,core,,,MAC address of the server. +1.9.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. 1.9.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip 1.9.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port 1.9.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client. @@ -552,7 +552,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. 1.9.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source. -1.9.0-dev+exp,true,source,source.mac,keyword,core,,,MAC address of the source. +1.9.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. 1.9.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip 1.9.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port 1.9.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 2b4dc2772b..ba35594e18 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -313,7 +313,12 @@ client.ip: type: ip client.mac: dashed_name: client-mac - description: MAC address of the client. + description: 'MAC address of the client. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: client.mac ignore_above: 1024 level: core @@ -1002,7 +1007,12 @@ destination.ip: type: ip destination.mac: dashed_name: destination-mac - description: MAC address of the destination. + description: 'MAC address of the destination. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: destination.mac ignore_above: 1024 level: core @@ -3568,14 +3578,19 @@ host.ip: type: ip host.mac: dashed_name: host-mac - description: Host mac addresses. + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' flat_name: host.mac ignore_above: 1024 level: core name: mac normalize: - array - short: Host mac addresses. + short: Host MAC addresses. type: keyword host.name: dashed_name: host-name @@ -4484,8 +4499,8 @@ network.vlan.name: observer.egress: dashed_name: observer-egress description: Observer.egress holds information like interface number and name, vlan, - and zone information to classify egress traffic. Single armed monitoring such - as a network sensor on a span port should only use observer.ingress to categorize + and zone information to classify egress traffic. Single armed monitoring such + as a network sensor on a span port should only use observer.ingress to categorize traffic. flat_name: observer.egress level: extended @@ -4557,7 +4572,7 @@ observer.egress.vlan.name: observer.egress.zone: dashed_name: observer-egress-zone description: Network zone of outbound traffic as reported by the observer to categorize - the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, + the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. example: Public_Internet flat_name: observer.egress.zone @@ -4719,8 +4734,8 @@ observer.hostname: observer.ingress: dashed_name: observer-ingress description: Observer.ingress holds information like interface number and name, - vlan, and zone information to classify ingress traffic. Single armed monitoring - such as a network sensor on a span port should only use observer.ingress to categorize + vlan, and zone information to classify ingress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress to categorize traffic. flat_name: observer.ingress level: extended @@ -4792,8 +4807,7 @@ observer.ingress.vlan.name: observer.ingress.zone: dashed_name: observer-ingress-zone description: Network zone of incoming traffic as reported by the observer to categorize - the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, - etc. + the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. example: DMZ flat_name: observer.ingress.zone ignore_above: 1024 @@ -4814,14 +4828,19 @@ observer.ip: type: ip observer.mac: dashed_name: observer-mac - description: MAC addresses of the observer + description: 'MAC addresses of the observer. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' flat_name: observer.mac ignore_above: 1024 level: core name: mac normalize: - array - short: MAC addresses of the observer + short: MAC addresses of the observer. type: keyword observer.name: dashed_name: observer-name @@ -6502,7 +6521,12 @@ server.ip: type: ip server.mac: dashed_name: server-mac - description: MAC address of the server. + description: 'MAC address of the server. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: server.mac ignore_above: 1024 level: core @@ -7060,7 +7084,12 @@ source.ip: type: ip source.mac: dashed_name: source-mac - description: MAC address of the source. + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: source.mac ignore_above: 1024 level: core diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 878d68757c..ff10e027f4 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -458,7 +458,13 @@ client: type: ip client.mac: dashed_name: client-mac - description: MAC address of the client. + description: 'MAC address of the client. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: client.mac ignore_above: 1024 level: core @@ -1312,7 +1318,13 @@ destination: type: ip destination.mac: dashed_name: destination-mac - description: MAC address of the destination. + description: 'MAC address of the destination. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: destination.mac ignore_above: 1024 level: core @@ -4304,14 +4316,20 @@ host: type: ip host.mac: dashed_name: host-mac - description: Host mac addresses. + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' flat_name: host.mac ignore_above: 1024 level: core name: mac normalize: - array - short: Host mac addresses. + short: Host MAC addresses. type: keyword host.name: dashed_name: host-name @@ -5337,9 +5355,9 @@ observer: observer.egress: dashed_name: observer-egress description: Observer.egress holds information like interface number and name, - vlan, and zone information to classify egress traffic. Single armed monitoring - such as a network sensor on a span port should only use observer.ingress - to categorize traffic. + vlan, and zone information to classify egress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress to + categorize traffic. flat_name: observer.egress level: extended name: egress @@ -5411,7 +5429,7 @@ observer: observer.egress.zone: dashed_name: observer-egress-zone description: Network zone of outbound traffic as reported by the observer to - categorize the destination area of egress traffic, e.g. Internal, External, + categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. example: Public_Internet flat_name: observer.egress.zone @@ -5573,9 +5591,9 @@ observer: observer.ingress: dashed_name: observer-ingress description: Observer.ingress holds information like interface number and name, - vlan, and zone information to classify ingress traffic. Single armed monitoring - such as a network sensor on a span port should only use observer.ingress - to categorize traffic. + vlan, and zone information to classify ingress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress to + categorize traffic. flat_name: observer.ingress level: extended name: ingress @@ -5647,7 +5665,7 @@ observer: observer.ingress.zone: dashed_name: observer-ingress-zone description: Network zone of incoming traffic as reported by the observer to - categorize the source area of ingress traffic. e.g. internal, External, DMZ, + categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. example: DMZ flat_name: observer.ingress.zone @@ -5669,14 +5687,20 @@ observer: type: ip observer.mac: dashed_name: observer-mac - description: MAC addresses of the observer + description: 'MAC addresses of the observer. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' flat_name: observer.mac ignore_above: 1024 level: core name: mac normalize: - array - short: MAC addresses of the observer + short: MAC addresses of the observer. type: keyword observer.name: dashed_name: observer-name @@ -7729,7 +7753,13 @@ server: type: ip server.mac: dashed_name: server-mac - description: MAC address of the server. + description: 'MAC address of the server. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: server.mac ignore_above: 1024 level: core @@ -8331,7 +8361,13 @@ source: type: ip source.mac: dashed_name: source-mac - description: MAC address of the source. + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: source.mac ignore_above: 1024 level: core diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 66a0122ae4..6fd2e7ea03 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -288,7 +288,13 @@ level: core type: keyword ignore_above: 1024 - description: MAC address of the client. + description: 'MAC address of the client. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip @@ -745,7 +751,13 @@ level: core type: keyword ignore_above: 1024 - description: MAC address of the destination. + description: 'MAC address of the destination. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip @@ -2295,7 +2307,13 @@ level: core type: keyword ignore_above: 1024 - description: Host mac addresses. + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - name: name level: core type: keyword @@ -2908,9 +2926,9 @@ level: extended type: object description: Observer.egress holds information like interface number and name, - vlan, and zone information to classify egress traffic. Single armed monitoring - such as a network sensor on a span port should only use observer.ingress - to categorize traffic. + vlan, and zone information to classify egress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress to + categorize traffic. default_field: false - name: egress.interface.alias level: extended @@ -2954,7 +2972,7 @@ type: keyword ignore_above: 1024 description: Network zone of outbound traffic as reported by the observer to - categorize the destination area of egress traffic, e.g. Internal, External, + categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. example: Public_Internet default_field: false @@ -3044,9 +3062,9 @@ level: extended type: object description: Observer.ingress holds information like interface number and name, - vlan, and zone information to classify ingress traffic. Single armed monitoring - such as a network sensor on a span port should only use observer.ingress - to categorize traffic. + vlan, and zone information to classify ingress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress to + categorize traffic. default_field: false - name: ingress.interface.alias level: extended @@ -3090,7 +3108,7 @@ type: keyword ignore_above: 1024 description: Network zone of incoming traffic as reported by the observer to - categorize the source area of ingress traffic. e.g. internal, External, DMZ, + categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. example: DMZ default_field: false @@ -3102,7 +3120,13 @@ level: core type: keyword ignore_above: 1024 - description: MAC addresses of the observer + description: 'MAC addresses of the observer. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' - name: name level: extended type: keyword @@ -4351,7 +4375,13 @@ level: core type: keyword ignore_above: 1024 - description: MAC address of the server. + description: 'MAC address of the server. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip @@ -4711,7 +4741,13 @@ level: core type: keyword ignore_above: 1024 - description: MAC address of the source. + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 - name: nat.ip level: extended type: ip diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 87ddec0d0d..46400c8e83 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -27,7 +27,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. 1.9.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev,true,client,client.ip,ip,core,,,IP address of the client. -1.9.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. +1.9.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. 1.9.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address 1.9.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port 1.9.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. @@ -82,7 +82,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. 1.9.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. -1.9.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. +1.9.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. 1.9.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip 1.9.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port 1.9.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. @@ -254,7 +254,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host. 1.9.0-dev,true,host,host.id,keyword,core,,,Unique host id. 1.9.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. -1.9.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. +1.9.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. 1.9.0-dev,true,host,host.name,keyword,core,,,Name of the host. 1.9.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 1.9.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -350,7 +350,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. 1.9.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone 1.9.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -1.9.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer +1.9.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer. 1.9.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. 1.9.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 1.9.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -497,7 +497,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. 1.9.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev,true,server,server.ip,ip,core,,,IP address of the server. -1.9.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. +1.9.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. 1.9.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip 1.9.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port 1.9.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. @@ -542,7 +542,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. 1.9.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. 1.9.0-dev,true,source,source.ip,ip,core,,,IP address of the source. -1.9.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. +1.9.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. 1.9.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip 1.9.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port 1.9.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 44aa7b170f..b92392d17e 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -317,7 +317,12 @@ client.ip: type: ip client.mac: dashed_name: client-mac - description: MAC address of the client. + description: 'MAC address of the client. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: client.mac ignore_above: 1024 level: core @@ -967,7 +972,12 @@ destination.ip: type: ip destination.mac: dashed_name: destination-mac - description: MAC address of the destination. + description: 'MAC address of the destination. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: destination.mac ignore_above: 1024 level: core @@ -3518,14 +3528,19 @@ host.ip: type: ip host.mac: dashed_name: host-mac - description: Host mac addresses. + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' flat_name: host.mac ignore_above: 1024 level: core name: mac normalize: - array - short: Host mac addresses. + short: Host MAC addresses. type: keyword host.name: dashed_name: host-name @@ -4404,8 +4419,8 @@ network.vlan.name: observer.egress: dashed_name: observer-egress description: Observer.egress holds information like interface number and name, vlan, - and zone information to classify egress traffic. Single armed monitoring such - as a network sensor on a span port should only use observer.ingress to categorize + and zone information to classify egress traffic. Single armed monitoring such + as a network sensor on a span port should only use observer.ingress to categorize traffic. flat_name: observer.egress level: extended @@ -4477,7 +4492,7 @@ observer.egress.vlan.name: observer.egress.zone: dashed_name: observer-egress-zone description: Network zone of outbound traffic as reported by the observer to categorize - the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, + the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. example: Public_Internet flat_name: observer.egress.zone @@ -4640,8 +4655,8 @@ observer.hostname: observer.ingress: dashed_name: observer-ingress description: Observer.ingress holds information like interface number and name, - vlan, and zone information to classify ingress traffic. Single armed monitoring - such as a network sensor on a span port should only use observer.ingress to categorize + vlan, and zone information to classify ingress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress to categorize traffic. flat_name: observer.ingress level: extended @@ -4713,8 +4728,7 @@ observer.ingress.vlan.name: observer.ingress.zone: dashed_name: observer-ingress-zone description: Network zone of incoming traffic as reported by the observer to categorize - the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, - etc. + the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. example: DMZ flat_name: observer.ingress.zone ignore_above: 1024 @@ -4735,14 +4749,19 @@ observer.ip: type: ip observer.mac: dashed_name: observer-mac - description: MAC addresses of the observer + description: 'MAC addresses of the observer. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' flat_name: observer.mac ignore_above: 1024 level: core name: mac normalize: - array - short: MAC addresses of the observer + short: MAC addresses of the observer. type: keyword observer.name: dashed_name: observer-name @@ -6446,7 +6465,12 @@ server.ip: type: ip server.mac: dashed_name: server-mac - description: MAC address of the server. + description: 'MAC address of the server. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: server.mac ignore_above: 1024 level: core @@ -7011,7 +7035,12 @@ source.ip: type: ip source.mac: dashed_name: source-mac - description: MAC address of the source. + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) + is represented by two [uppercase] hexadecimal digits giving the value of the octet + as an unsigned integer. Successive octets are separated by a hyphen.' + example: 00-00-5E-00-53-23 flat_name: source.mac ignore_above: 1024 level: core diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index d550ec8cc6..b11ded1d60 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -463,7 +463,13 @@ client: type: ip client.mac: dashed_name: client-mac - description: MAC address of the client. + description: 'MAC address of the client. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: client.mac ignore_above: 1024 level: core @@ -1255,7 +1261,13 @@ destination: type: ip destination.mac: dashed_name: destination-mac - description: MAC address of the destination. + description: 'MAC address of the destination. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: destination.mac ignore_above: 1024 level: core @@ -4233,14 +4245,20 @@ host: type: ip host.mac: dashed_name: host-mac - description: Host mac addresses. + description: 'Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' flat_name: host.mac ignore_above: 1024 level: core name: mac normalize: - array - short: Host mac addresses. + short: Host MAC addresses. type: keyword host.name: dashed_name: host-name @@ -5236,9 +5254,9 @@ observer: observer.egress: dashed_name: observer-egress description: Observer.egress holds information like interface number and name, - vlan, and zone information to classify egress traffic. Single armed monitoring - such as a network sensor on a span port should only use observer.ingress - to categorize traffic. + vlan, and zone information to classify egress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress to + categorize traffic. flat_name: observer.egress level: extended name: egress @@ -5310,7 +5328,7 @@ observer: observer.egress.zone: dashed_name: observer-egress-zone description: Network zone of outbound traffic as reported by the observer to - categorize the destination area of egress traffic, e.g. Internal, External, + categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. example: Public_Internet flat_name: observer.egress.zone @@ -5473,9 +5491,9 @@ observer: observer.ingress: dashed_name: observer-ingress description: Observer.ingress holds information like interface number and name, - vlan, and zone information to classify ingress traffic. Single armed monitoring - such as a network sensor on a span port should only use observer.ingress - to categorize traffic. + vlan, and zone information to classify ingress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress to + categorize traffic. flat_name: observer.ingress level: extended name: ingress @@ -5547,7 +5565,7 @@ observer: observer.ingress.zone: dashed_name: observer-ingress-zone description: Network zone of incoming traffic as reported by the observer to - categorize the source area of ingress traffic. e.g. internal, External, DMZ, + categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. example: DMZ flat_name: observer.ingress.zone @@ -5569,14 +5587,20 @@ observer: type: ip observer.mac: dashed_name: observer-mac - description: MAC addresses of the observer + description: 'MAC addresses of the observer. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' flat_name: observer.mac ignore_above: 1024 level: core name: mac normalize: - array - short: MAC addresses of the observer + short: MAC addresses of the observer. type: keyword observer.name: dashed_name: observer-name @@ -7655,7 +7679,13 @@ server: type: ip server.mac: dashed_name: server-mac - description: MAC address of the server. + description: 'MAC address of the server. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: server.mac ignore_above: 1024 level: core @@ -8264,7 +8294,13 @@ source: type: ip source.mac: dashed_name: source-mac - description: MAC address of the source. + description: 'MAC address of the source. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit + byte) is represented by two [uppercase] hexadecimal digits giving the value + of the octet as an unsigned integer. Successive octets are separated by a + hyphen.' + example: 00-00-5E-00-53-23 flat_name: source.mac ignore_above: 1024 level: core diff --git a/schemas/client.yml b/schemas/client.yml index e63ab70276..3011c97b46 100644 --- a/schemas/client.yml +++ b/schemas/client.yml @@ -48,9 +48,16 @@ - name: mac level: core type: keyword + short: MAC address of the client. + example: 00-00-5E-00-53-23 description: > MAC address of the client. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is + represented by two [uppercase] hexadecimal digits giving the value of + the octet as an unsigned integer. Successive octets are separated by a + hyphen. + - name: domain level: core type: keyword diff --git a/schemas/destination.yml b/schemas/destination.yml index a1e91958f7..c600377b92 100644 --- a/schemas/destination.yml +++ b/schemas/destination.yml @@ -43,9 +43,16 @@ - name: mac level: core type: keyword + short: MAC address of the destination. + example: 00-00-5E-00-53-23 description: > MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is + represented by two [uppercase] hexadecimal digits giving the value of + the octet as an unsigned integer. Successive octets are separated by a + hyphen. + - name: domain level: core type: keyword diff --git a/schemas/host.yml b/schemas/host.yml index 2fdbd9e4f7..984cc51f40 100644 --- a/schemas/host.yml +++ b/schemas/host.yml @@ -55,8 +55,15 @@ - name: mac level: core type: keyword + short: Host MAC addresses. + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' description: > - Host mac addresses. + Host MAC addresses. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is + represented by two [uppercase] hexadecimal digits giving the value of + the octet as an unsigned integer. Successive octets are separated by a + hyphen. normalize: - array diff --git a/schemas/observer.yml b/schemas/observer.yml index 88726c372b..9cee51c1c6 100644 --- a/schemas/observer.yml +++ b/schemas/observer.yml @@ -20,8 +20,15 @@ - name: mac level: core type: keyword + example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]' + short: MAC addresses of the observer. description: > - MAC addresses of the observer + MAC addresses of the observer. + + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is + represented by two [uppercase] hexadecimal digits giving the value of + the octet as an unsigned integer. Successive octets are separated by a + hyphen. normalize: - array @@ -96,8 +103,8 @@ type: object short: Object field for ingress information description: > - Observer.ingress holds information like interface number and name, vlan, and zone information to - classify ingress traffic. Single armed monitoring such as a network sensor on a span port should + Observer.ingress holds information like interface number and name, vlan, and zone information to + classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. - name: ingress.zone @@ -106,16 +113,16 @@ short: Observer ingress zone example: DMZ description: > - Network zone of incoming traffic as reported by the observer to categorize the source area of ingress + Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - + - name: egress level: extended type: object short: Object field for egress information description: > - Observer.egress holds information like interface number and name, vlan, and zone information to - classify egress traffic. Single armed monitoring such as a network sensor on a span port should + Observer.egress holds information like interface number and name, vlan, and zone information to + classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. - name: egress.zone @@ -124,5 +131,5 @@ short: Observer Egress zone example: Public_Internet description: > - Network zone of outbound traffic as reported by the observer to categorize the destination area of egress + Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. diff --git a/schemas/server.yml b/schemas/server.yml index 867b3bd03c..b5d66c63e7 100644 --- a/schemas/server.yml +++ b/schemas/server.yml @@ -48,9 +48,16 @@ - name: mac level: core type: keyword + short: MAC address of the server. + example: 00-00-5E-00-53-23 description: > MAC address of the server. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is + represented by two [uppercase] hexadecimal digits giving the value of + the octet as an unsigned integer. Successive octets are separated by a + hyphen. + - name: domain level: core type: keyword diff --git a/schemas/source.yml b/schemas/source.yml index 268b975312..8f3e5f1350 100644 --- a/schemas/source.yml +++ b/schemas/source.yml @@ -43,9 +43,16 @@ - name: mac level: core type: keyword + short: MAC address of the source. + example: 00-00-5E-00-53-23 description: > MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is + represented by two [uppercase] hexadecimal digits giving the value of + the octet as an unsigned integer. Successive octets are separated by a + hyphen. + - name: domain level: core type: keyword From 86bc271e4beb2d6332a41e7c748781949e4c0f16 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 16 Feb 2021 15:57:04 -0600 Subject: [PATCH 77/90] finalize 1.8.0 changelog (#1262) (#1265) --- CHANGELOG.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++ CHANGELOG.next.md | 53 ----------------------------------------------- 2 files changed, 52 insertions(+), 53 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49e89c52b7..feb711c0e1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,58 @@ # CHANGELOG All notable changes to this project will be documented in this file based on the [Keep a Changelog](http://keepachangelog.com/) Standard. This project adheres to [Semantic Versioning](http://semver.org/). +## [1.8.0](https://github.com/elastic/ecs/compare/v1.7.0...v1.8.0) + +### Schema Changes + +#### Bugfixes + +* Clean up `event.reference` description. #1181 +* Go code generator fails if `scaled_float` type is used. #1250 + +#### Added + +* Added `event.category` "registry". #1040 +* Added `event.category` "session". #1049 +* Added usage documentation for `user` fields. #1066 +* Added `user` fields at `user.effective.*`, `user.target.*` and `user.changes.*`. #1066 +* Added `os.type`. #1111 + +#### Improvements + +* Event categorization fields GA. #1067 +* Note `[` and `]` bracket characters may enclose a literal IPv6 address when populating `url.domain`. #1131 +* Reinforce the exclusion of the leading dot from `url.extension`. #1151 + +#### Deprecated + +* Deprecated `host.user.*` fields for removal at the next major. #1066 + +### Tooling and Artifact Changes + +#### Bugfixes + +* `tracing` fields should be at root of Beats `fields.ecs.yml` artifacts. #1164 + +#### Added + +* Added the `path` key when type is `alias`, to support the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). #877 +* Added support for `scaled_float`'s mandatory parameter `scaling_factor`. #1042 +* Added ability for --oss flag to fall back `constant_keyword` to `keyword`. #1046 +* Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050 +* Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051 +* Added support for `constant_keyword`'s optional parameter `value`. #1112 +* Added component templates for ECS field sets. #1156, #1186, #1191 +* Added functionality for merging custom and core multi-fields. #982 + +#### Improvements + +* Make all fields linkable directly. #1148 +* Added a notice highlighting that the `tracing` fields are not nested under the + namespace `tracing.` #1162 +* ES 6.x template data types will fallback to supported types. #1171, #1176, #1186 +* Add a documentation page discussing the experimental artifacts. #1189 + ## [1.7.0](https://github.com/elastic/ecs/compare/v1.6.0...v1.7.0) ### Schema Changes diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 2d597ed044..7d0346ed09 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -29,59 +29,6 @@ Thanks, you're awesome :-) --> #### Deprecated -## 1.8.0 (Feature Freeze) - -### Schema Changes - -#### Bugfixes - -* Clean up `event.reference` description. #1181 -* Go code generator fails if `scaled_float` type is used. #1250 - -#### Added - -* Added `event.category` "registry". #1040 -* Added `event.category` "session". #1049 -* Added usage documentation for `user` fields. #1066 -* Added `user` fields at `user.effective.*`, `user.target.*` and `user.changes.*`. #1066 -* Added `os.type`. #1111 - -#### Improvements - -* Event categorization fields GA. #1067 -* Note `[` and `]` bracket characters may enclose a literal IPv6 address when populating `url.domain`. #1131 -* Reinforce the exclusion of the leading dot from `url.extension`. #1151 - -#### Deprecated - -* Deprecated `host.user.*` fields for removal at the next major. #1066 - -### Tooling and Artifact Changes - -#### Bugfixes - -* `tracing` fields should be at root of Beats `fields.ecs.yml` artifacts. #1164 - -#### Added - -* Added the `path` key when type is `alias`, to support the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). #877 -* Added support for `scaled_float`'s mandatory parameter `scaling_factor`. #1042 -* Added ability for --oss flag to fall back `constant_keyword` to `keyword`. #1046 -* Added support in the generated Go source go for `wildcard`, `version`, and `constant_keyword` data types. #1050 -* Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051 -* Added support for `constant_keyword`'s optional parameter `value`. #1112 -* Added component templates for ECS field sets. #1156, #1186, #1191 -* Added functionality for merging custom and core multi-fields. #982 - -#### Improvements - -* Make all fields linkable directly. #1148 -* Added a notice highlighting that the `tracing` fields are not nested under the - namespace `tracing.` #1162 -* ES 6.x template data types will fallback to supported types. #1171, #1176, #1186 -* Add a documentation page discussing the experimental artifacts. #1189 - - * Added `http.request.id`. #1208 * Added `cloud.service.name`. #1204 * Added `hash.ssdeep`. #1169 +* Added additional host fields. #1248 * Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229 #### Improvements diff --git a/code/go/ecs/host.go b/code/go/ecs/host.go index f3afb6b871..4953427208 100644 --- a/code/go/ecs/host.go +++ b/code/go/ecs/host.go @@ -68,4 +68,35 @@ type Host struct { // or NetBIOS domain name. For Linux this could be the domain of the host's // LDAP provider. Domain string `ecs:"domain"` + + // Percent CPU used which is normalized by the number of CPU cores and it + // ranges from 0 to 1. + // Scaling factor: 1000. + // For example: For a two core host, this value should be the average of + // the two cores, between 0 and 1. + CpuUsage float64 `ecs:"cpu.usage"` + + // The total number of bytes (gauge) read successfully (aggregated from all + // disks) since the last metric collection. + DiskReadBytes int64 `ecs:"disk.read.bytes"` + + // The total number of bytes (gauge) written successfully (aggregated from + // all disks) since the last metric collection. + DiskWriteBytes int64 `ecs:"disk.write.bytes"` + + // The number of bytes received (gauge) on all network interfaces by the + // host since the last metric collection. + NetworkIngressBytes int64 `ecs:"network.ingress.bytes"` + + // The number of packets (gauge) received on all network interfaces by the + // host since the last metric collection. + NetworkIngressPackets int64 `ecs:"network.ingress.packets"` + + // The number of bytes (gauge) sent out on all network interfaces by the + // host since the last metric collection. + NetworkEgressBytes int64 `ecs:"network.egress.bytes"` + + // The number of packets (gauge) sent out on all network interfaces by the + // host since the last metric collection. + NetworkEgressPackets int64 `ecs:"network.egress.packets"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 12cfbc5870..56ec0e8bbe 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3188,6 +3188,64 @@ example: `x86_64` // =============================================================== +| +[[field-host-cpu-usage]] +<> + +| beta:[ This field is currently considered beta. ] + +Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. + +Scaling factor: 1000. + +For example: For a two core host, this value should be the average of the two cores, between 0 and 1. + +type: scaled_float + + + + + +| extended + +// =============================================================== + +| +[[field-host-disk-read-bytes]] +<> + +| beta:[ This field is currently considered beta. ] + +The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. + +type: long + + + + + +| extended + +// =============================================================== + +| +[[field-host-disk-write-bytes]] +<> + +| beta:[ This field is currently considered beta. ] + +The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. + +type: long + + + + + +| extended + +// =============================================================== + | [[field-host-domain]] <> @@ -3302,6 +3360,78 @@ type: keyword // =============================================================== +| +[[field-host-network-egress-bytes]] +<> + +| beta:[ This field is currently considered beta. ] + +The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. + +type: long + + + + + +| extended + +// =============================================================== + +| +[[field-host-network-egress-packets]] +<> + +| beta:[ This field is currently considered beta. ] + +The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. + +type: long + + + + + +| extended + +// =============================================================== + +| +[[field-host-network-ingress-bytes]] +<> + +| beta:[ This field is currently considered beta. ] + +The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. + +type: long + + + + + +| extended + +// =============================================================== + +| +[[field-host-network-ingress-packets]] +<> + +| beta:[ This field is currently considered beta. ] + +The number of packets (gauge) received on all network interfaces by the host since the last metric collection. + +type: long + + + + + +| extended + +// =============================================================== + | [[field-host-type]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 841d63b442..c044939ad9 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -2222,7 +2222,9 @@ level: extended type: scaled_float description: 'Percent CPU used which is normalized by the number of CPU cores - and it ranges from 0 to 1. Scaling factor: 1000. + and it ranges from 0 to 1. + + Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1.' diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index ba35594e18..54583bb5ad 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3355,9 +3355,12 @@ host.architecture: short: Operating system architecture. type: keyword host.cpu.usage: + beta: This field is currently considered beta. dashed_name: host-cpu-usage description: 'Percent CPU used which is normalized by the number of CPU cores and - it ranges from 0 to 1. Scaling factor: 1000. + it ranges from 0 to 1. + + Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1.' @@ -3369,6 +3372,7 @@ host.cpu.usage: short: Percent CPU used, between 0 and 1. type: scaled_float host.disk.read.bytes: + beta: This field is currently considered beta. dashed_name: host-disk-read-bytes description: The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. @@ -3379,6 +3383,7 @@ host.disk.read.bytes: short: The number of bytes read by all disks. type: long host.disk.write.bytes: + beta: This field is currently considered beta. dashed_name: host-disk-write-bytes description: The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. @@ -3606,6 +3611,7 @@ host.name: short: Name of the host. type: keyword host.network.egress.bytes: + beta: This field is currently considered beta. dashed_name: host-network-egress-bytes description: The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. @@ -3616,6 +3622,7 @@ host.network.egress.bytes: short: The number of bytes sent on all network interfaces. type: long host.network.egress.packets: + beta: This field is currently considered beta. dashed_name: host-network-egress-packets description: The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. @@ -3626,6 +3633,7 @@ host.network.egress.packets: short: The number of packets sent on all network interfaces. type: long host.network.ingress.bytes: + beta: This field is currently considered beta. dashed_name: host-network-ingress-bytes description: The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. @@ -3636,6 +3644,7 @@ host.network.ingress.bytes: short: The number of bytes received on all network interfaces. type: long host.network.ingress.packets: + beta: This field is currently considered beta. dashed_name: host-network-ingress-packets description: The number of packets (gauge) received on all network interfaces by the host since the last metric collection. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index ff10e027f4..a0bb8d6a76 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -4092,9 +4092,12 @@ host: short: Operating system architecture. type: keyword host.cpu.usage: + beta: This field is currently considered beta. dashed_name: host-cpu-usage description: 'Percent CPU used which is normalized by the number of CPU cores - and it ranges from 0 to 1. Scaling factor: 1000. + and it ranges from 0 to 1. + + Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1.' @@ -4106,6 +4109,7 @@ host: short: Percent CPU used, between 0 and 1. type: scaled_float host.disk.read.bytes: + beta: This field is currently considered beta. dashed_name: host-disk-read-bytes description: The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. @@ -4116,6 +4120,7 @@ host: short: The number of bytes read by all disks. type: long host.disk.write.bytes: + beta: This field is currently considered beta. dashed_name: host-disk-write-bytes description: The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. @@ -4346,6 +4351,7 @@ host: short: Name of the host. type: keyword host.network.egress.bytes: + beta: This field is currently considered beta. dashed_name: host-network-egress-bytes description: The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. @@ -4356,6 +4362,7 @@ host: short: The number of bytes sent on all network interfaces. type: long host.network.egress.packets: + beta: This field is currently considered beta. dashed_name: host-network-egress-packets description: The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. @@ -4366,6 +4373,7 @@ host: short: The number of packets sent on all network interfaces. type: long host.network.ingress.bytes: + beta: This field is currently considered beta. dashed_name: host-network-ingress-bytes description: The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. @@ -4376,6 +4384,7 @@ host: short: The number of bytes received on all network interfaces. type: long host.network.ingress.packets: + beta: This field is currently considered beta. dashed_name: host-network-ingress-packets description: The number of packets (gauge) received on all network interfaces by the host since the last metric collection. diff --git a/experimental/schemas/host.yml b/experimental/schemas/host.yml index b7b57cfc09..91f3d1bbc2 100644 --- a/experimental/schemas/host.yml +++ b/experimental/schemas/host.yml @@ -1,65 +1,4 @@ - name: host fields: - # RFC 0005 - - name: cpu.usage - type: scaled_float - scaling_factor: 1000 - level: extended - short: Percent CPU used, between 0 and 1. - description: > - Percent CPU used which is normalized by the number of CPU cores and it - ranges from 0 to 1. Scaling factor: 1000. - - For example: For a two core host, this value should be the average of the - two cores, between 0 and 1. - - - name: network.ingress.bytes - type: long - level: extended - short: The number of bytes received on all network interfaces. - description: > - The number of bytes received (gauge) on all network interfaces by the - host since the last metric collection. - - - name: network.ingress.packets - type: long - level: extended - short: The number of packets received on all network interfaces. - description: > - The number of packets (gauge) received on all network interfaces by the - host since the last metric collection. - - - name: network.egress.bytes - type: long - level: extended - short: The number of bytes sent on all network interfaces. - description: > - The number of bytes (gauge) sent out on all network interfaces by the - host since the last metric collection. - - - name: network.egress.packets - type: long - level: extended - short: The number of packets sent on all network interfaces. - description: > - The number of packets (gauge) sent out on all network interfaces by the - host since the last metric collection. - - - name: disk.read.bytes - type: long - level: extended - short: The number of bytes read by all disks. - description: > - The total number of bytes (gauge) read successfully (aggregated from all - disks) since the last metric collection. - - - name: disk.write.bytes - type: long - level: extended - short: The number of bytes written on all disks. - description: > - The total number of bytes (gauge) written successfully (aggregated from - all disks) since the last metric collection. - - name: hostname type: wildcard diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 6fd2e7ea03..4e6459e331 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2195,6 +2195,30 @@ ignore_above: 1024 description: Operating system architecture. example: x86_64 + - name: cpu.usage + level: extended + type: scaled_float + description: 'Percent CPU used which is normalized by the number of CPU cores + and it ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1.' + scaling_factor: 1000 + default_field: false + - name: disk.read.bytes + level: extended + type: long + description: The total number of bytes (gauge) read successfully (aggregated + from all disks) since the last metric collection. + default_field: false + - name: disk.write.bytes + level: extended + type: long + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + default_field: false - name: domain level: extended type: keyword @@ -2323,6 +2347,30 @@ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: network.egress.bytes + level: extended + type: long + description: The number of bytes (gauge) sent out on all network interfaces + by the host since the last metric collection. + default_field: false + - name: network.egress.packets + level: extended + type: long + description: The number of packets (gauge) sent out on all network interfaces + by the host since the last metric collection. + default_field: false + - name: network.ingress.bytes + level: extended + type: long + description: The number of bytes received (gauge) on all network interfaces + by the host since the last metric collection. + default_field: false + - name: network.ingress.packets + level: extended + type: long + description: The number of packets (gauge) received on all network interfaces + by the host since the last metric collection. + default_field: false - name: os.family level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 46400c8e83..8048de1277 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -239,6 +239,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.9.0-dev,true,group,group.name,keyword,extended,,,Name of the group. 1.9.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +1.9.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +1.9.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +1.9.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. 1.9.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. 1.9.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. 1.9.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. @@ -256,6 +259,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. 1.9.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. 1.9.0-dev,true,host,host.name,keyword,core,,,Name of the host. +1.9.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +1.9.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +1.9.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +1.9.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. 1.9.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 1.9.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 1.9.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index b92392d17e..9057ad0999 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3336,6 +3336,45 @@ host.architecture: normalize: [] short: Operating system architecture. type: keyword +host.cpu.usage: + beta: This field is currently considered beta. + dashed_name: host-cpu-usage + description: 'Percent CPU used which is normalized by the number of CPU cores and + it ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the two + cores, between 0 and 1.' + flat_name: host.cpu.usage + level: extended + name: cpu.usage + normalize: [] + scaling_factor: 1000 + short: Percent CPU used, between 0 and 1. + type: scaled_float +host.disk.read.bytes: + beta: This field is currently considered beta. + dashed_name: host-disk-read-bytes + description: The total number of bytes (gauge) read successfully (aggregated from + all disks) since the last metric collection. + flat_name: host.disk.read.bytes + level: extended + name: disk.read.bytes + normalize: [] + short: The number of bytes read by all disks. + type: long +host.disk.write.bytes: + beta: This field is currently considered beta. + dashed_name: host-disk-write-bytes + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.disk.write.bytes + level: extended + name: disk.write.bytes + normalize: [] + short: The number of bytes written on all disks. + type: long host.domain: dashed_name: host-domain description: 'Name of the domain of which the host is a member. @@ -3555,6 +3594,50 @@ host.name: normalize: [] short: Name of the host. type: keyword +host.network.egress.bytes: + beta: This field is currently considered beta. + dashed_name: host-network-egress-bytes + description: The number of bytes (gauge) sent out on all network interfaces by the + host since the last metric collection. + flat_name: host.network.egress.bytes + level: extended + name: network.egress.bytes + normalize: [] + short: The number of bytes sent on all network interfaces. + type: long +host.network.egress.packets: + beta: This field is currently considered beta. + dashed_name: host-network-egress-packets + description: The number of packets (gauge) sent out on all network interfaces by + the host since the last metric collection. + flat_name: host.network.egress.packets + level: extended + name: network.egress.packets + normalize: [] + short: The number of packets sent on all network interfaces. + type: long +host.network.ingress.bytes: + beta: This field is currently considered beta. + dashed_name: host-network-ingress-bytes + description: The number of bytes received (gauge) on all network interfaces by the + host since the last metric collection. + flat_name: host.network.ingress.bytes + level: extended + name: network.ingress.bytes + normalize: [] + short: The number of bytes received on all network interfaces. + type: long +host.network.ingress.packets: + beta: This field is currently considered beta. + dashed_name: host-network-ingress-packets + description: The number of packets (gauge) received on all network interfaces by + the host since the last metric collection. + flat_name: host.network.ingress.packets + level: extended + name: network.ingress.packets + normalize: [] + short: The number of packets received on all network interfaces. + type: long host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index b11ded1d60..482bcf618a 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4052,6 +4052,45 @@ host: normalize: [] short: Operating system architecture. type: keyword + host.cpu.usage: + beta: This field is currently considered beta. + dashed_name: host-cpu-usage + description: 'Percent CPU used which is normalized by the number of CPU cores + and it ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of the + two cores, between 0 and 1.' + flat_name: host.cpu.usage + level: extended + name: cpu.usage + normalize: [] + scaling_factor: 1000 + short: Percent CPU used, between 0 and 1. + type: scaled_float + host.disk.read.bytes: + beta: This field is currently considered beta. + dashed_name: host-disk-read-bytes + description: The total number of bytes (gauge) read successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.disk.read.bytes + level: extended + name: disk.read.bytes + normalize: [] + short: The number of bytes read by all disks. + type: long + host.disk.write.bytes: + beta: This field is currently considered beta. + dashed_name: host-disk-write-bytes + description: The total number of bytes (gauge) written successfully (aggregated + from all disks) since the last metric collection. + flat_name: host.disk.write.bytes + level: extended + name: disk.write.bytes + normalize: [] + short: The number of bytes written on all disks. + type: long host.domain: dashed_name: host-domain description: 'Name of the domain of which the host is a member. @@ -4274,6 +4313,50 @@ host: normalize: [] short: Name of the host. type: keyword + host.network.egress.bytes: + beta: This field is currently considered beta. + dashed_name: host-network-egress-bytes + description: The number of bytes (gauge) sent out on all network interfaces + by the host since the last metric collection. + flat_name: host.network.egress.bytes + level: extended + name: network.egress.bytes + normalize: [] + short: The number of bytes sent on all network interfaces. + type: long + host.network.egress.packets: + beta: This field is currently considered beta. + dashed_name: host-network-egress-packets + description: The number of packets (gauge) sent out on all network interfaces + by the host since the last metric collection. + flat_name: host.network.egress.packets + level: extended + name: network.egress.packets + normalize: [] + short: The number of packets sent on all network interfaces. + type: long + host.network.ingress.bytes: + beta: This field is currently considered beta. + dashed_name: host-network-ingress-bytes + description: The number of bytes received (gauge) on all network interfaces + by the host since the last metric collection. + flat_name: host.network.ingress.bytes + level: extended + name: network.ingress.bytes + normalize: [] + short: The number of bytes received on all network interfaces. + type: long + host.network.ingress.packets: + beta: This field is currently considered beta. + dashed_name: host-network-ingress-packets + description: The number of packets (gauge) received on all network interfaces + by the host since the last metric collection. + flat_name: host.network.ingress.packets + level: extended + name: network.ingress.packets + normalize: [] + short: The number of packets received on all network interfaces. + type: long host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 15708392e3..b126de6d78 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1115,6 +1115,32 @@ "ignore_above": 1024, "type": "keyword" }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" @@ -1185,6 +1211,30 @@ "ignore_above": 1024, "type": "keyword" }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, "os": { "properties": { "family": { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 083546847a..f70782f320 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1114,6 +1114,32 @@ "ignore_above": 1024, "type": "keyword" }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" @@ -1184,6 +1210,30 @@ "ignore_above": 1024, "type": "keyword" }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, "os": { "properties": { "family": { diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json index e371893cf8..e4ee59abbc 100644 --- a/generated/elasticsearch/component/host.json +++ b/generated/elasticsearch/component/host.json @@ -12,6 +12,32 @@ "ignore_above": 1024, "type": "keyword" }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" @@ -82,6 +108,30 @@ "ignore_above": 1024, "type": "keyword" }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, "os": { "properties": { "family": { diff --git a/schemas/host.yml b/schemas/host.yml index 984cc51f40..74a6de5eec 100644 --- a/schemas/host.yml +++ b/schemas/host.yml @@ -103,3 +103,71 @@ For Linux this could be the domain of the host's LDAP provider. example: CONTOSO + - name: cpu.usage + level: extended + type: scaled_float + scaling_factor: 1000 + short: Percent CPU used, between 0 and 1. + beta: This field is currently considered beta. + description: > + Percent CPU used which is normalized by the number of CPU cores and it + ranges from 0 to 1. + + Scaling factor: 1000. + + For example: For a two core host, this value should be the average of + the two cores, between 0 and 1. + + - name: disk.read.bytes + type: long + level: extended + short: The number of bytes read by all disks. + beta: This field is currently considered beta. + description: > + The total number of bytes (gauge) read successfully (aggregated from all + disks) since the last metric collection. + + - name: disk.write.bytes + type: long + level: extended + short: The number of bytes written on all disks. + beta: This field is currently considered beta. + description: > + The total number of bytes (gauge) written successfully (aggregated from + all disks) since the last metric collection. + + - name: network.ingress.bytes + type: long + level: extended + short: The number of bytes received on all network interfaces. + beta: This field is currently considered beta. + description: > + The number of bytes received (gauge) on all network interfaces by the + host since the last metric collection. + + - name: network.ingress.packets + type: long + level: extended + short: The number of packets received on all network interfaces. + beta: This field is currently considered beta. + description: > + The number of packets (gauge) received on all network interfaces by the + host since the last metric collection. + + - name: network.egress.bytes + type: long + level: extended + short: The number of bytes sent on all network interfaces. + beta: This field is currently considered beta. + description: > + The number of bytes (gauge) sent out on all network interfaces by the + host since the last metric collection. + + - name: network.egress.packets + type: long + level: extended + short: The number of packets sent on all network interfaces. + beta: This field is currently considered beta. + description: > + The number of packets (gauge) sent out on all network interfaces by the + host since the last metric collection. From 9f97ffbc3b2e2770367cbc7a35b6d1d764199ae4 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 17 Feb 2021 10:00:05 -0600 Subject: [PATCH 79/90] Stage 1 changes for RFC 0014 - extend pe fields (#1256) (#1270) --- CHANGELOG.next.md | 1 + experimental/generated/beats/fields.ecs.yml | 1100 +++++++++- experimental/generated/csv/fields.csv | 124 ++ experimental/generated/ecs/ecs_flat.yml | 1536 +++++++++++++- experimental/generated/ecs/ecs_nested.yml | 1881 ++++++++++++++++- .../generated/elasticsearch/7/template.json | 544 +++++ .../elasticsearch/component/dll.json | 136 ++ .../elasticsearch/component/file.json | 136 ++ .../elasticsearch/component/process.json | 272 +++ experimental/schemas/pe.yml | 225 ++ 10 files changed, 5878 insertions(+), 77 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 6239379a43..8fe7df718f 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -22,6 +22,7 @@ Thanks, you're awesome :-) --> * Added `hash.ssdeep`. #1169 * Added additional host fields. #1248 * Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229 +* Extended `pe` fields added to experimental schema. #1256 #### Improvements diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index c044939ad9..bad2a56e1b 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1040,6 +1040,13 @@ description: CPU architecture target for the file. example: x64 default_field: false + - name: pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false - name: pe.company level: extended type: keyword @@ -1047,6 +1054,67 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false + - name: pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false - name: pe.description level: extended type: keyword @@ -1054,6 +1122,20 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false + - name: pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false - name: pe.file_version level: extended type: keyword @@ -1061,6 +1143,14 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false - name: pe.imphash level: extended type: keyword @@ -1072,12 +1162,33 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false + - name: pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false - name: pe.original_file_name level: extended type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false + - name: pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false - name: pe.product level: extended type: keyword @@ -1085,6 +1196,105 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false + - name: pe.resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false - name: dns title: DNS group: 2 @@ -1809,6 +2019,13 @@ description: CPU architecture target for the file. example: x64 default_field: false + - name: pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false - name: pe.company level: extended type: keyword @@ -1816,6 +2033,67 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false + - name: pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false - name: pe.description level: extended type: keyword @@ -1823,6 +2101,20 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false + - name: pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false - name: pe.file_version level: extended type: keyword @@ -1830,6 +2122,14 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false - name: pe.imphash level: extended type: keyword @@ -1841,12 +2141,33 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false + - name: pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false - name: pe.original_file_name level: extended type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false + - name: pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false - name: pe.product level: extended type: keyword @@ -1854,6 +2175,105 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false + - name: pe.resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false - name: size level: extended type: long @@ -3486,6 +3906,13 @@ description: CPU architecture target for the file. example: x64 default_field: false + - name: authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false - name: company level: extended type: keyword @@ -3493,47 +3920,250 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - - name: description + - name: compile_timestamp level: extended - type: keyword - ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - example: Paint + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: file_version + - name: compiler.name level: extended type: keyword ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 + description: Name of the compiler + example: Clang default_field: false - - name: imphash + - name: compiler.version level: extended type: keyword ignore_above: 1024 - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf + description: Version of the compiler. + example: 11.0.0 default_field: false - - name: original_file_name + - name: creation_date level: extended - type: wildcard - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: product + - name: debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: debug.offset level: extended type: keyword ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" + description: Debug offset information. + example: 1296336 default_field: false - - name: process - title: Process - group: 2 + - name: debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false + - name: description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false + - name: file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false + - name: imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false + - name: original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false + - name: product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false + - name: process + title: Process + group: 2 description: 'These fields contain information about a process. These fields can help you correlate metrics information with a process id/name @@ -3845,6 +4475,13 @@ description: CPU architecture target for the file. example: x64 default_field: false + - name: parent.pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false - name: parent.pe.company level: extended type: keyword @@ -3852,6 +4489,67 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false + - name: parent.pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: parent.pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: parent.pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: parent.pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: parent.pe.debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: parent.pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: parent.pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: parent.pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: parent.pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false - name: parent.pe.description level: extended type: keyword @@ -3859,6 +4557,20 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false + - name: parent.pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: parent.pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false - name: parent.pe.file_version level: extended type: keyword @@ -3866,6 +4578,14 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: parent.pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false - name: parent.pe.imphash level: extended type: keyword @@ -3877,12 +4597,33 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false + - name: parent.pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: parent.pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false - name: parent.pe.original_file_name level: extended type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false + - name: parent.pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false - name: parent.pe.product level: extended type: keyword @@ -3890,6 +4631,105 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false + - name: parent.pe.resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: parent.pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: parent.pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: parent.pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: parent.pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: parent.pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: parent.pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: parent.pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: parent.pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: parent.pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: parent.pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: parent.pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: parent.pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: parent.pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: parent.pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false - name: parent.pgid level: extended type: long @@ -3964,6 +4804,13 @@ description: CPU architecture target for the file. example: x64 default_field: false + - name: pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false - name: pe.company level: extended type: keyword @@ -3971,6 +4818,67 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false + - name: pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false - name: pe.description level: extended type: keyword @@ -3978,6 +4886,20 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false + - name: pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false - name: pe.file_version level: extended type: keyword @@ -3985,6 +4907,14 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false - name: pe.imphash level: extended type: keyword @@ -3996,12 +4926,33 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false + - name: pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false - name: pe.original_file_name level: extended type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false + - name: pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false - name: pe.product level: extended type: keyword @@ -4009,6 +4960,105 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false + - name: pe.resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false - name: pgid level: extended type: long diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 2ab59c260c..0bde23311a 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -118,12 +118,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. 1.9.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. 1.9.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev+exp,true,dll,dll.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 1.9.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev+exp,true,dll,dll.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.9.0-dev+exp,true,dll,dll.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.9.0-dev+exp,true,dll,dll.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.9.0-dev+exp,true,dll,dll.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.9.0-dev+exp,true,dll,dll.pe.debug,nested,extended,array,,Debug information +1.9.0-dev+exp,true,dll,dll.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.9.0-dev+exp,true,dll,dll.pe.debug.size,long,extended,,816,Size of the debug information. +1.9.0-dev+exp,true,dll,dll.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.9.0-dev+exp,true,dll,dll.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 1.9.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev+exp,true,dll,dll.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.9.0-dev+exp,true,dll,dll.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 1.9.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev+exp,true,dll,dll.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 1.9.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.9.0-dev+exp,true,dll,dll.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 1.9.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev+exp,true,dll,dll.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 1.9.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev+exp,true,dll,dll.pe.resources,nested,extended,array,,PE resource information +1.9.0-dev+exp,true,dll,dll.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.9.0-dev+exp,true,dll,dll.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.9.0-dev+exp,true,dll,dll.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.9.0-dev+exp,true,dll,dll.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.9.0-dev+exp,true,dll,dll.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.9.0-dev+exp,true,dll,dll.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.9.0-dev+exp,true,dll,dll.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.9.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.9.0-dev+exp,true,dll,dll.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.9.0-dev+exp,true,dll,dll.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.9.0-dev+exp,true,dll,dll.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.9.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.9.0-dev+exp,true,dll,dll.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.9.0-dev+exp,true,dll,dll.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 1.9.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers. 1.9.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. 1.9.0-dev+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. @@ -203,12 +234,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." 1.9.0-dev+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." 1.9.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev+exp,true,file,file.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 1.9.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev+exp,true,file,file.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.9.0-dev+exp,true,file,file.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.9.0-dev+exp,true,file,file.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.9.0-dev+exp,true,file,file.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.9.0-dev+exp,true,file,file.pe.debug,nested,extended,array,,Debug information +1.9.0-dev+exp,true,file,file.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.9.0-dev+exp,true,file,file.pe.debug.size,long,extended,,816,Size of the debug information. +1.9.0-dev+exp,true,file,file.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.9.0-dev+exp,true,file,file.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 1.9.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev+exp,true,file,file.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.9.0-dev+exp,true,file,file.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 1.9.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev+exp,true,file,file.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 1.9.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev+exp,true,file,file.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.9.0-dev+exp,true,file,file.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 1.9.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev+exp,true,file,file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 1.9.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev+exp,true,file,file.pe.resources,nested,extended,array,,PE resource information +1.9.0-dev+exp,true,file,file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.9.0-dev+exp,true,file,file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.9.0-dev+exp,true,file,file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.9.0-dev+exp,true,file,file.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.9.0-dev+exp,true,file,file.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.9.0-dev+exp,true,file,file.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.9.0-dev+exp,true,file,file.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.9.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.9.0-dev+exp,true,file,file.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.9.0-dev+exp,true,file,file.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.9.0-dev+exp,true,file,file.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.9.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.9.0-dev+exp,true,file,file.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.9.0-dev+exp,true,file,file.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 1.9.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes. 1.9.0-dev+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. 1.9.0-dev+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks. @@ -433,12 +495,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name. 1.9.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name. 1.9.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev+exp,true,process,process.parent.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 1.9.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.parent.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.9.0-dev+exp,true,process,process.parent.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.9.0-dev+exp,true,process,process.parent.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.9.0-dev+exp,true,process,process.parent.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.9.0-dev+exp,true,process,process.parent.pe.debug,nested,extended,array,,Debug information +1.9.0-dev+exp,true,process,process.parent.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.9.0-dev+exp,true,process,process.parent.pe.debug.size,long,extended,,816,Size of the debug information. +1.9.0-dev+exp,true,process,process.parent.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.9.0-dev+exp,true,process,process.parent.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 1.9.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.parent.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.9.0-dev+exp,true,process,process.parent.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 1.9.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev+exp,true,process,process.parent.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 1.9.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.9.0-dev+exp,true,process,process.parent.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 1.9.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.parent.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 1.9.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.parent.pe.resources,nested,extended,array,,PE resource information +1.9.0-dev+exp,true,process,process.parent.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.9.0-dev+exp,true,process,process.parent.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.9.0-dev+exp,true,process,process.parent.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.9.0-dev+exp,true,process,process.parent.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.9.0-dev+exp,true,process,process.parent.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.9.0-dev+exp,true,process,process.parent.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.9.0-dev+exp,true,process,process.parent.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.9.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.9.0-dev+exp,true,process,process.parent.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.9.0-dev+exp,true,process,process.parent.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.9.0-dev+exp,true,process,process.parent.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.9.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.9.0-dev+exp,true,process,process.parent.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.9.0-dev+exp,true,process,process.parent.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 1.9.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 1.9.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. 1.9.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. @@ -451,12 +544,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. 1.9.0-dev+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. 1.9.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev+exp,true,process,process.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 1.9.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.9.0-dev+exp,true,process,process.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.9.0-dev+exp,true,process,process.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.9.0-dev+exp,true,process,process.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.9.0-dev+exp,true,process,process.pe.debug,nested,extended,array,,Debug information +1.9.0-dev+exp,true,process,process.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.9.0-dev+exp,true,process,process.pe.debug.size,long,extended,,816,Size of the debug information. +1.9.0-dev+exp,true,process,process.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.9.0-dev+exp,true,process,process.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 1.9.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.9.0-dev+exp,true,process,process.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 1.9.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev+exp,true,process,process.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 1.9.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev+exp,true,process,process.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.9.0-dev+exp,true,process,process.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 1.9.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 1.9.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.pe.resources,nested,extended,array,,PE resource information +1.9.0-dev+exp,true,process,process.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.9.0-dev+exp,true,process,process.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.9.0-dev+exp,true,process,process.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.9.0-dev+exp,true,process,process.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.9.0-dev+exp,true,process,process.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.9.0-dev+exp,true,process,process.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.9.0-dev+exp,true,process,process.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.9.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.9.0-dev+exp,true,process,process.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.9.0-dev+exp,true,process,process.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.9.0-dev+exp,true,process,process.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.9.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.9.0-dev+exp,true,process,process.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.9.0-dev+exp,true,process,process.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 1.9.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 1.9.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. 1.9.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 54583bb5ad..ee97af19e6 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1403,6 +1403,18 @@ dll.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword +dll.pe.authentihash: + dashed_name: dll-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: dll.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword dll.pe.company: dashed_name: dll-pe-company description: Internal company name of the file, provided at compile-time. @@ -1415,6 +1427,113 @@ dll.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword +dll.pe.compile_timestamp: + dashed_name: dll-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +dll.pe.compiler.name: + dashed_name: dll-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: dll.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +dll.pe.compiler.version: + dashed_name: dll-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: dll.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +dll.pe.creation_date: + dashed_name: dll-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +dll.pe.debug: + dashed_name: dll-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: dll.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +dll.pe.debug.offset: + dashed_name: dll-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: dll.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +dll.pe.debug.size: + dashed_name: dll-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: dll.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +dll.pe.debug.timestamp: + dashed_name: dll-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +dll.pe.debug.type: + dashed_name: dll-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: dll.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword dll.pe.description: dashed_name: dll-pe-description description: Internal description of the file, provided at compile-time. @@ -1427,6 +1546,31 @@ dll.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword +dll.pe.entry_point: + dashed_name: dll-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: dll.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +dll.pe.exports: + dashed_name: dll-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: dll.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword dll.pe.file_version: dashed_name: dll-pe-file-version description: Internal version of the file, provided at compile-time. @@ -1439,6 +1583,19 @@ dll.pe.file_version: original_fieldset: pe short: Process name. type: keyword +dll.pe.icon.hash.dhash: + dashed_name: dll-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: dll.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword dll.pe.imphash: dashed_name: dll-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -1455,6 +1612,30 @@ dll.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword +dll.pe.imports: + dashed_name: dll-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: dll.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +dll.pe.machine_type: + dashed_name: dll-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: dll.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword dll.pe.original_file_name: dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -1466,6 +1647,19 @@ dll.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard +dll.pe.packers: + dashed_name: dll-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: dll.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -1478,6 +1672,183 @@ dll.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword +dll.pe.resources: + dashed_name: dll-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: dll.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested +dll.pe.resources.chi2: + dashed_name: dll-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: dll.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +dll.pe.resources.entropy: + dashed_name: dll-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: dll.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +dll.pe.resources.filetype: + dashed_name: dll-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: dll.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +dll.pe.resources.language: + dashed_name: dll-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: dll.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +dll.pe.resources.sha256: + dashed_name: dll-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: dll.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +dll.pe.resources.type: + dashed_name: dll-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: dll.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +dll.pe.rich_header.hash.md5: + dashed_name: dll-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: dll.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +dll.pe.sections: + dashed_name: dll-pe-sections + description: Data about sections of compiled binary PE + flat_name: dll.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +dll.pe.sections.chi2: + dashed_name: dll-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: dll.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +dll.pe.sections.entropy: + dashed_name: dll-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: dll.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +dll.pe.sections.flags: + dashed_name: dll-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: dll.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword +dll.pe.sections.name: + dashed_name: dll-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: dll.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +dll.pe.sections.raw_size: + dashed_name: dll-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: dll.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +dll.pe.sections.virtual_address: + dashed_name: dll-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: dll.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long dns.answers: dashed_name: dns-answers description: 'An array containing an object for each answer section returned by @@ -2884,6 +3255,18 @@ file.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword +file.pe.authentihash: + dashed_name: file-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: file.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword file.pe.company: dashed_name: file-pe-company description: Internal company name of the file, provided at compile-time. @@ -2896,6 +3279,113 @@ file.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword +file.pe.compile_timestamp: + dashed_name: file-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +file.pe.compiler.name: + dashed_name: file-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: file.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +file.pe.compiler.version: + dashed_name: file-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: file.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +file.pe.creation_date: + dashed_name: file-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +file.pe.debug: + dashed_name: file-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: file.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +file.pe.debug.offset: + dashed_name: file-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: file.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +file.pe.debug.size: + dashed_name: file-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: file.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +file.pe.debug.timestamp: + dashed_name: file-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +file.pe.debug.type: + dashed_name: file-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: file.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword file.pe.description: dashed_name: file-pe-description description: Internal description of the file, provided at compile-time. @@ -2908,6 +3398,31 @@ file.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword +file.pe.entry_point: + dashed_name: file-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: file.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +file.pe.exports: + dashed_name: file-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: file.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword file.pe.file_version: dashed_name: file-pe-file-version description: Internal version of the file, provided at compile-time. @@ -2920,6 +3435,19 @@ file.pe.file_version: original_fieldset: pe short: Process name. type: keyword +file.pe.icon.hash.dhash: + dashed_name: file-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: file.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword file.pe.imphash: dashed_name: file-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -2936,6 +3464,30 @@ file.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword +file.pe.imports: + dashed_name: file-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: file.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +file.pe.machine_type: + dashed_name: file-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: file.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword file.pe.original_file_name: dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -2947,6 +3499,19 @@ file.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard +file.pe.packers: + dashed_name: file-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: file.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -2959,38 +3524,215 @@ file.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword -file.size: - dashed_name: file-size - description: 'File size in bytes. +file.pe.resources: + dashed_name: file-pe-resources + description: 'An array containing an object for each PE resource, if present. - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: file.size + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: file.pe.resources level: extended - name: size + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested +file.pe.resources.chi2: + dashed_name: file-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: file.pe.resources.chi2 + level: extended + name: resources.chi2 normalize: [] - short: File size in bytes. + original_fieldset: pe + short: Chi-square probability distribution. type: long -file.target_path: - dashed_name: file-target-path - description: Target path for symlinks. - flat_name: file.target_path +file.pe.resources.entropy: + dashed_name: file-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: file.pe.resources.entropy level: extended - multi_fields: - - flat_name: file.target_path.text - name: text - norms: false - type: text - name: target_path + name: resources.entropy normalize: [] - short: Target path for symlinks. - type: wildcard -file.type: - dashed_name: file-type - description: File type (file, dir, or symlink). - example: file - flat_name: file.type - ignore_above: 1024 + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +file.pe.resources.filetype: + dashed_name: file-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: file.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +file.pe.resources.language: + dashed_name: file-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: file.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +file.pe.resources.sha256: + dashed_name: file-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: file.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +file.pe.resources.type: + dashed_name: file-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: file.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +file.pe.rich_header.hash.md5: + dashed_name: file-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: file.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +file.pe.sections: + dashed_name: file-pe-sections + description: Data about sections of compiled binary PE + flat_name: file.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +file.pe.sections.chi2: + dashed_name: file-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: file.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +file.pe.sections.entropy: + dashed_name: file-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: file.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +file.pe.sections.flags: + dashed_name: file-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: file.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword +file.pe.sections.name: + dashed_name: file-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: file.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +file.pe.sections.raw_size: + dashed_name: file-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: file.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +file.pe.sections.virtual_address: + dashed_name: file-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: file.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long +file.size: + dashed_name: file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: file.size + level: extended + name: size + normalize: [] + short: File size in bytes. + type: long +file.target_path: + dashed_name: file-target-path + description: Target path for symlinks. + flat_name: file.target_path + level: extended + multi_fields: + - flat_name: file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + short: Target path for symlinks. + type: wildcard +file.type: + dashed_name: file-type + description: File type (file, dir, or symlink). + example: file + flat_name: file.type + ignore_above: 1024 level: extended name: type normalize: [] @@ -5682,6 +6424,18 @@ process.parent.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword +process.parent.pe.authentihash: + dashed_name: process-parent-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: process.parent.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword process.parent.pe.company: dashed_name: process-parent-pe-company description: Internal company name of the file, provided at compile-time. @@ -5694,6 +6448,113 @@ process.parent.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword +process.parent.pe.compile_timestamp: + dashed_name: process-parent-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +process.parent.pe.compiler.name: + dashed_name: process-parent-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: process.parent.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +process.parent.pe.compiler.version: + dashed_name: process-parent-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: process.parent.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +process.parent.pe.creation_date: + dashed_name: process-parent-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +process.parent.pe.debug: + dashed_name: process-parent-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: process.parent.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +process.parent.pe.debug.offset: + dashed_name: process-parent-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: process.parent.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +process.parent.pe.debug.size: + dashed_name: process-parent-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: process.parent.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +process.parent.pe.debug.timestamp: + dashed_name: process-parent-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +process.parent.pe.debug.type: + dashed_name: process-parent-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: process.parent.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword process.parent.pe.description: dashed_name: process-parent-pe-description description: Internal description of the file, provided at compile-time. @@ -5706,6 +6567,31 @@ process.parent.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword +process.parent.pe.entry_point: + dashed_name: process-parent-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: process.parent.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +process.parent.pe.exports: + dashed_name: process-parent-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: process.parent.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword process.parent.pe.file_version: dashed_name: process-parent-pe-file-version description: Internal version of the file, provided at compile-time. @@ -5718,6 +6604,19 @@ process.parent.pe.file_version: original_fieldset: pe short: Process name. type: keyword +process.parent.pe.icon.hash.dhash: + dashed_name: process-parent-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: process.parent.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword process.parent.pe.imphash: dashed_name: process-parent-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -5734,6 +6633,30 @@ process.parent.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword +process.parent.pe.imports: + dashed_name: process-parent-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: process.parent.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +process.parent.pe.machine_type: + dashed_name: process-parent-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: process.parent.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword process.parent.pe.original_file_name: dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -5745,6 +6668,19 @@ process.parent.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard +process.parent.pe.packers: + dashed_name: process-parent-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: process.parent.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -5757,6 +6693,183 @@ process.parent.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword +process.parent.pe.resources: + dashed_name: process-parent-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: process.parent.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested +process.parent.pe.resources.chi2: + dashed_name: process-parent-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: process.parent.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +process.parent.pe.resources.entropy: + dashed_name: process-parent-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: process.parent.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +process.parent.pe.resources.filetype: + dashed_name: process-parent-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: process.parent.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +process.parent.pe.resources.language: + dashed_name: process-parent-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: process.parent.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +process.parent.pe.resources.sha256: + dashed_name: process-parent-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: process.parent.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +process.parent.pe.resources.type: + dashed_name: process-parent-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: process.parent.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +process.parent.pe.rich_header.hash.md5: + dashed_name: process-parent-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: process.parent.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +process.parent.pe.sections: + dashed_name: process-parent-pe-sections + description: Data about sections of compiled binary PE + flat_name: process.parent.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +process.parent.pe.sections.chi2: + dashed_name: process-parent-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: process.parent.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +process.parent.pe.sections.entropy: + dashed_name: process-parent-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: process.parent.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +process.parent.pe.sections.flags: + dashed_name: process-parent-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: process.parent.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword +process.parent.pe.sections.name: + dashed_name: process-parent-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: process.parent.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +process.parent.pe.sections.raw_size: + dashed_name: process-parent-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: process.parent.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +process.parent.pe.sections.virtual_address: + dashed_name: process-parent-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: process.parent.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long process.parent.pgid: dashed_name: process-parent-pgid description: Identifier of the group of processes the process belongs to. @@ -5883,6 +6996,18 @@ process.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword +process.pe.authentihash: + dashed_name: process-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: process.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword process.pe.company: dashed_name: process-pe-company description: Internal company name of the file, provided at compile-time. @@ -5895,6 +7020,113 @@ process.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword +process.pe.compile_timestamp: + dashed_name: process-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +process.pe.compiler.name: + dashed_name: process-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: process.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +process.pe.compiler.version: + dashed_name: process-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: process.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +process.pe.creation_date: + dashed_name: process-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +process.pe.debug: + dashed_name: process-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: process.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +process.pe.debug.offset: + dashed_name: process-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: process.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +process.pe.debug.size: + dashed_name: process-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: process.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +process.pe.debug.timestamp: + dashed_name: process-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +process.pe.debug.type: + dashed_name: process-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: process.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword process.pe.description: dashed_name: process-pe-description description: Internal description of the file, provided at compile-time. @@ -5907,6 +7139,31 @@ process.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword +process.pe.entry_point: + dashed_name: process-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: process.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +process.pe.exports: + dashed_name: process-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: process.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword process.pe.file_version: dashed_name: process-pe-file-version description: Internal version of the file, provided at compile-time. @@ -5919,6 +7176,19 @@ process.pe.file_version: original_fieldset: pe short: Process name. type: keyword +process.pe.icon.hash.dhash: + dashed_name: process-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: process.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword process.pe.imphash: dashed_name: process-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -5935,6 +7205,30 @@ process.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword +process.pe.imports: + dashed_name: process-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: process.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +process.pe.machine_type: + dashed_name: process-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: process.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword process.pe.original_file_name: dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -5946,6 +7240,19 @@ process.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard +process.pe.packers: + dashed_name: process-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: process.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. @@ -5958,6 +7265,183 @@ process.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword +process.pe.resources: + dashed_name: process-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: process.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested +process.pe.resources.chi2: + dashed_name: process-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: process.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +process.pe.resources.entropy: + dashed_name: process-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: process.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +process.pe.resources.filetype: + dashed_name: process-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: process.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +process.pe.resources.language: + dashed_name: process-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: process.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +process.pe.resources.sha256: + dashed_name: process-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: process.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +process.pe.resources.type: + dashed_name: process-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: process.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +process.pe.rich_header.hash.md5: + dashed_name: process-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: process.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +process.pe.sections: + dashed_name: process-pe-sections + description: Data about sections of compiled binary PE + flat_name: process.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +process.pe.sections.chi2: + dashed_name: process-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: process.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +process.pe.sections.entropy: + dashed_name: process-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: process.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +process.pe.sections.flags: + dashed_name: process-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: process.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword +process.pe.sections.name: + dashed_name: process-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: process.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +process.pe.sections.raw_size: + dashed_name: process-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: process.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +process.pe.sections.virtual_address: + dashed_name: process-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: process.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long process.pgid: dashed_name: process-pgid description: Identifier of the group of processes the process belongs to. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index a0bb8d6a76..4ce5d1a3ea 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1749,6 +1749,18 @@ dll: original_fieldset: pe short: CPU architecture target for the file. type: keyword + dll.pe.authentihash: + dashed_name: dll-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: dll.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword dll.pe.company: dashed_name: dll-pe-company description: Internal company name of the file, provided at compile-time. @@ -1761,6 +1773,113 @@ dll: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword + dll.pe.compile_timestamp: + dashed_name: dll-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + dll.pe.compiler.name: + dashed_name: dll-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: dll.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + dll.pe.compiler.version: + dashed_name: dll-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: dll.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + dll.pe.creation_date: + dashed_name: dll-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + dll.pe.debug: + dashed_name: dll-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: dll.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + dll.pe.debug.offset: + dashed_name: dll-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: dll.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + dll.pe.debug.size: + dashed_name: dll-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: dll.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + dll.pe.debug.timestamp: + dashed_name: dll-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + dll.pe.debug.type: + dashed_name: dll-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: dll.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword dll.pe.description: dashed_name: dll-pe-description description: Internal description of the file, provided at compile-time. @@ -1773,6 +1892,31 @@ dll: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword + dll.pe.entry_point: + dashed_name: dll-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: dll.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + dll.pe.exports: + dashed_name: dll-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: dll.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword dll.pe.file_version: dashed_name: dll-pe-file-version description: Internal version of the file, provided at compile-time. @@ -1785,6 +1929,20 @@ dll: original_fieldset: pe short: Process name. type: keyword + dll.pe.icon.hash.dhash: + dashed_name: dll-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: dll.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword dll.pe.imphash: dashed_name: dll-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -1801,6 +1959,30 @@ dll: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword + dll.pe.imports: + dashed_name: dll-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: dll.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + dll.pe.machine_type: + dashed_name: dll-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: dll.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword dll.pe.original_file_name: dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -1812,6 +1994,19 @@ dll: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard + dll.pe.packers: + dashed_name: dll-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: dll.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -1824,6 +2019,183 @@ dll: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword + dll.pe.resources: + dashed_name: dll-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: dll.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested + dll.pe.resources.chi2: + dashed_name: dll-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: dll.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + dll.pe.resources.entropy: + dashed_name: dll-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: dll.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + dll.pe.resources.filetype: + dashed_name: dll-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: dll.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword + dll.pe.resources.language: + dashed_name: dll-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: dll.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword + dll.pe.resources.sha256: + dashed_name: dll-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: dll.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword + dll.pe.resources.type: + dashed_name: dll-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: dll.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword + dll.pe.rich_header.hash.md5: + dashed_name: dll-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: dll.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword + dll.pe.sections: + dashed_name: dll-pe-sections + description: Data about sections of compiled binary PE + flat_name: dll.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + dll.pe.sections.chi2: + dashed_name: dll-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: dll.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + dll.pe.sections.entropy: + dashed_name: dll-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: dll.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + dll.pe.sections.flags: + dashed_name: dll-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: dll.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword + dll.pe.sections.name: + dashed_name: dll-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: dll.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword + dll.pe.sections.raw_size: + dashed_name: dll-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: dll.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + dll.pe.sections.virtual_address: + dashed_name: dll-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: dll.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long group: 2 name: dll nestings: @@ -3332,6 +3704,18 @@ file: original_fieldset: pe short: CPU architecture target for the file. type: keyword + file.pe.authentihash: + dashed_name: file-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: file.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword file.pe.company: dashed_name: file-pe-company description: Internal company name of the file, provided at compile-time. @@ -3344,6 +3728,113 @@ file: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword + file.pe.compile_timestamp: + dashed_name: file-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + file.pe.compiler.name: + dashed_name: file-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: file.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + file.pe.compiler.version: + dashed_name: file-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: file.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + file.pe.creation_date: + dashed_name: file-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + file.pe.debug: + dashed_name: file-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: file.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + file.pe.debug.offset: + dashed_name: file-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: file.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + file.pe.debug.size: + dashed_name: file-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: file.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + file.pe.debug.timestamp: + dashed_name: file-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + file.pe.debug.type: + dashed_name: file-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: file.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword file.pe.description: dashed_name: file-pe-description description: Internal description of the file, provided at compile-time. @@ -3356,6 +3847,31 @@ file: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword + file.pe.entry_point: + dashed_name: file-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: file.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + file.pe.exports: + dashed_name: file-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: file.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword file.pe.file_version: dashed_name: file-pe-file-version description: Internal version of the file, provided at compile-time. @@ -3368,6 +3884,20 @@ file: original_fieldset: pe short: Process name. type: keyword + file.pe.icon.hash.dhash: + dashed_name: file-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: file.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword file.pe.imphash: dashed_name: file-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -3384,6 +3914,30 @@ file: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword + file.pe.imports: + dashed_name: file-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: file.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + file.pe.machine_type: + dashed_name: file-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: file.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword file.pe.original_file_name: dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -3395,6 +3949,19 @@ file: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard + file.pe.packers: + dashed_name: file-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: file.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -3407,38 +3974,215 @@ file: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword - file.size: - dashed_name: file-size - description: 'File size in bytes. + file.pe.resources: + dashed_name: file-pe-resources + description: 'An array containing an object for each PE resource, if present. - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: file.size + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: file.pe.resources level: extended - name: size + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested + file.pe.resources.chi2: + dashed_name: file-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: file.pe.resources.chi2 + level: extended + name: resources.chi2 normalize: [] - short: File size in bytes. + original_fieldset: pe + short: Chi-square probability distribution. type: long - file.target_path: - dashed_name: file-target-path - description: Target path for symlinks. - flat_name: file.target_path + file.pe.resources.entropy: + dashed_name: file-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: file.pe.resources.entropy level: extended - multi_fields: - - flat_name: file.target_path.text - name: text - norms: false - type: text - name: target_path + name: resources.entropy normalize: [] - short: Target path for symlinks. - type: wildcard - file.type: - dashed_name: file-type - description: File type (file, dir, or symlink). - example: file - flat_name: file.type - ignore_above: 1024 + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + file.pe.resources.filetype: + dashed_name: file-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: file.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword + file.pe.resources.language: + dashed_name: file-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: file.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword + file.pe.resources.sha256: + dashed_name: file-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: file.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword + file.pe.resources.type: + dashed_name: file-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: file.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword + file.pe.rich_header.hash.md5: + dashed_name: file-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: file.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword + file.pe.sections: + dashed_name: file-pe-sections + description: Data about sections of compiled binary PE + flat_name: file.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + file.pe.sections.chi2: + dashed_name: file-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: file.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + file.pe.sections.entropy: + dashed_name: file-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: file.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + file.pe.sections.flags: + dashed_name: file-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: file.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword + file.pe.sections.name: + dashed_name: file-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: file.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword + file.pe.sections.raw_size: + dashed_name: file-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: file.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + file.pe.sections.virtual_address: + dashed_name: file-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: file.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long + file.size: + dashed_name: file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: file.size + level: extended + name: size + normalize: [] + short: File size in bytes. + type: long + file.target_path: + dashed_name: file-target-path + description: Target path for symlinks. + flat_name: file.target_path + level: extended + multi_fields: + - flat_name: file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + short: Target path for symlinks. + type: wildcard + file.type: + dashed_name: file-type + description: File type (file, dir, or symlink). + example: file + flat_name: file.type + ignore_above: 1024 level: extended name: type normalize: [] @@ -6243,6 +6987,17 @@ pe: normalize: [] short: CPU architecture target for the file. type: keyword + pe.authentihash: + dashed_name: pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + short: Authentihash of the PE file. + type: keyword pe.company: dashed_name: pe-company description: Internal company name of the file, provided at compile-time. @@ -6254,6 +7009,104 @@ pe: normalize: [] short: Internal company name of the file, provided at compile-time. type: keyword + pe.compile_timestamp: + dashed_name: pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + short: Compile timestamp of the PE file. + type: date + pe.compiler.name: + dashed_name: pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + short: Name of the compiler + type: keyword + pe.compiler.version: + dashed_name: pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + short: Version of the compiler. + type: keyword + pe.creation_date: + dashed_name: pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: pe.creation_date + level: extended + name: creation_date + normalize: [] + short: Build or compile date. + type: date + pe.debug: + dashed_name: pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: pe.debug + level: extended + name: debug + normalize: + - array + short: Debug information + type: nested + pe.debug.offset: + dashed_name: pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + short: Debug offset information. + type: keyword + pe.debug.size: + dashed_name: pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + short: Size of the debug information. + type: long + pe.debug.timestamp: + dashed_name: pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + short: Timestamp of the debug information. + type: date + pe.debug.type: + dashed_name: pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + short: Information type generated by the debug options. + type: keyword pe.description: dashed_name: pe-description description: Internal description of the file, provided at compile-time. @@ -6265,6 +7118,29 @@ pe: normalize: [] short: Internal description of the file, provided at compile-time. type: keyword + pe.entry_point: + dashed_name: pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + short: Relative byte offset to the base of the PE file. + type: keyword + pe.exports: + dashed_name: pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + short: List of symbols exported by PE + type: keyword pe.file_version: dashed_name: pe-file-version description: Internal version of the file, provided at compile-time. @@ -6276,6 +7152,19 @@ pe: normalize: [] short: Process name. type: keyword + pe.icon.hash.dhash: + dashed_name: pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword pe.imphash: dashed_name: pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -6291,6 +7180,28 @@ pe: normalize: [] short: A hash of the imports in a PE file. type: keyword + pe.imports: + dashed_name: pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: pe.imports + level: extended + name: imports + normalize: [] + short: List of all imported functions + type: flattened + pe.machine_type: + dashed_name: pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + short: Machine type of the PE file. + type: keyword pe.original_file_name: dashed_name: pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -6301,6 +7212,18 @@ pe: normalize: [] short: Internal name of the file, provided at compile-time. type: wildcard + pe.packers: + dashed_name: pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + short: List of packers and tools used. + type: keyword pe.product: dashed_name: pe-product description: Internal product name of the file, provided at compile-time. @@ -6312,6 +7235,168 @@ pe: normalize: [] short: Internal product name of the file, provided at compile-time. type: keyword + pe.resources: + dashed_name: pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: pe.resources + level: extended + name: resources + normalize: + - array + short: PE resource information + type: nested + pe.resources.chi2: + dashed_name: pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + short: Chi-square probability distribution. + type: long + pe.resources.entropy: + dashed_name: pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + short: Measurement of entropy randomness in the resources section. + type: long + pe.resources.filetype: + dashed_name: pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + short: File type of the resources section. + type: keyword + pe.resources.language: + dashed_name: pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + short: Language identification. + type: keyword + pe.resources.sha256: + dashed_name: pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + short: SHA256 hash of resources section. + type: keyword + pe.resources.type: + dashed_name: pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + short: List of resource types. + type: keyword + pe.rich_header.hash.md5: + dashed_name: pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + short: MD5 hash of the header for the PE file. + type: keyword + pe.sections: + dashed_name: pe-sections + description: Data about sections of compiled binary PE + flat_name: pe.sections + level: extended + name: sections + normalize: + - array + short: Data about sections of the compiled binary PE + type: nested + pe.sections.chi2: + dashed_name: pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + short: Chi-square probability distribution. + type: long + pe.sections.entropy: + dashed_name: pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + short: Measurement of entropy randomness in the file. + type: float + pe.sections.flags: + dashed_name: pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + short: Section flags of the file. + type: keyword + pe.sections.name: + dashed_name: pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + short: Section names of the file. + type: keyword + pe.sections.raw_size: + dashed_name: pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + short: Size of the section or the dize of the initialized data on disk. + type: long + pe.sections.virtual_address: + dashed_name: pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + short: Virtual address available to the file. + type: long group: 2 name: pe prefix: pe. @@ -6824,6 +7909,18 @@ process: original_fieldset: pe short: CPU architecture target for the file. type: keyword + process.parent.pe.authentihash: + dashed_name: process-parent-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: process.parent.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword process.parent.pe.company: dashed_name: process-parent-pe-company description: Internal company name of the file, provided at compile-time. @@ -6836,6 +7933,113 @@ process: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword + process.parent.pe.compile_timestamp: + dashed_name: process-parent-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + process.parent.pe.compiler.name: + dashed_name: process-parent-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: process.parent.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + process.parent.pe.compiler.version: + dashed_name: process-parent-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: process.parent.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + process.parent.pe.creation_date: + dashed_name: process-parent-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + process.parent.pe.debug: + dashed_name: process-parent-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: process.parent.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + process.parent.pe.debug.offset: + dashed_name: process-parent-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: process.parent.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + process.parent.pe.debug.size: + dashed_name: process-parent-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: process.parent.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + process.parent.pe.debug.timestamp: + dashed_name: process-parent-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + process.parent.pe.debug.type: + dashed_name: process-parent-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: process.parent.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword process.parent.pe.description: dashed_name: process-parent-pe-description description: Internal description of the file, provided at compile-time. @@ -6848,6 +8052,31 @@ process: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword + process.parent.pe.entry_point: + dashed_name: process-parent-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: process.parent.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + process.parent.pe.exports: + dashed_name: process-parent-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: process.parent.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword process.parent.pe.file_version: dashed_name: process-parent-pe-file-version description: Internal version of the file, provided at compile-time. @@ -6860,6 +8089,20 @@ process: original_fieldset: pe short: Process name. type: keyword + process.parent.pe.icon.hash.dhash: + dashed_name: process-parent-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: process.parent.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword process.parent.pe.imphash: dashed_name: process-parent-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -6876,6 +8119,30 @@ process: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword + process.parent.pe.imports: + dashed_name: process-parent-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: process.parent.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + process.parent.pe.machine_type: + dashed_name: process-parent-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: process.parent.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword process.parent.pe.original_file_name: dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -6887,6 +8154,19 @@ process: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard + process.parent.pe.packers: + dashed_name: process-parent-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: process.parent.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -6899,6 +8179,183 @@ process: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword + process.parent.pe.resources: + dashed_name: process-parent-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: process.parent.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested + process.parent.pe.resources.chi2: + dashed_name: process-parent-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: process.parent.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + process.parent.pe.resources.entropy: + dashed_name: process-parent-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: process.parent.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + process.parent.pe.resources.filetype: + dashed_name: process-parent-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: process.parent.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword + process.parent.pe.resources.language: + dashed_name: process-parent-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: process.parent.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword + process.parent.pe.resources.sha256: + dashed_name: process-parent-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: process.parent.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword + process.parent.pe.resources.type: + dashed_name: process-parent-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: process.parent.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword + process.parent.pe.rich_header.hash.md5: + dashed_name: process-parent-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: process.parent.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword + process.parent.pe.sections: + dashed_name: process-parent-pe-sections + description: Data about sections of compiled binary PE + flat_name: process.parent.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + process.parent.pe.sections.chi2: + dashed_name: process-parent-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: process.parent.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + process.parent.pe.sections.entropy: + dashed_name: process-parent-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: process.parent.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + process.parent.pe.sections.flags: + dashed_name: process-parent-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: process.parent.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword + process.parent.pe.sections.name: + dashed_name: process-parent-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: process.parent.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword + process.parent.pe.sections.raw_size: + dashed_name: process-parent-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: process.parent.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + process.parent.pe.sections.virtual_address: + dashed_name: process-parent-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: process.parent.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long process.parent.pgid: dashed_name: process-parent-pgid description: Identifier of the group of processes the process belongs to. @@ -7025,6 +8482,18 @@ process: original_fieldset: pe short: CPU architecture target for the file. type: keyword + process.pe.authentihash: + dashed_name: process-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: process.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword process.pe.company: dashed_name: process-pe-company description: Internal company name of the file, provided at compile-time. @@ -7037,6 +8506,113 @@ process: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword + process.pe.compile_timestamp: + dashed_name: process-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + process.pe.compiler.name: + dashed_name: process-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: process.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + process.pe.compiler.version: + dashed_name: process-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: process.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + process.pe.creation_date: + dashed_name: process-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + process.pe.debug: + dashed_name: process-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: process.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + process.pe.debug.offset: + dashed_name: process-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: process.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + process.pe.debug.size: + dashed_name: process-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: process.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + process.pe.debug.timestamp: + dashed_name: process-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + process.pe.debug.type: + dashed_name: process-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: process.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword process.pe.description: dashed_name: process-pe-description description: Internal description of the file, provided at compile-time. @@ -7049,6 +8625,31 @@ process: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword + process.pe.entry_point: + dashed_name: process-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: process.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + process.pe.exports: + dashed_name: process-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: process.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword process.pe.file_version: dashed_name: process-pe-file-version description: Internal version of the file, provided at compile-time. @@ -7061,6 +8662,20 @@ process: original_fieldset: pe short: Process name. type: keyword + process.pe.icon.hash.dhash: + dashed_name: process-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: process.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword process.pe.imphash: dashed_name: process-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -7077,6 +8692,30 @@ process: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword + process.pe.imports: + dashed_name: process-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: process.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + process.pe.machine_type: + dashed_name: process-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: process.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword process.pe.original_file_name: dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -7088,6 +8727,19 @@ process: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard + process.pe.packers: + dashed_name: process-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: process.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. @@ -7100,6 +8752,183 @@ process: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword + process.pe.resources: + dashed_name: process-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: process.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested + process.pe.resources.chi2: + dashed_name: process-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: process.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + process.pe.resources.entropy: + dashed_name: process-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: process.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + process.pe.resources.filetype: + dashed_name: process-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: process.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword + process.pe.resources.language: + dashed_name: process-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: process.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword + process.pe.resources.sha256: + dashed_name: process-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: process.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword + process.pe.resources.type: + dashed_name: process-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: process.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword + process.pe.rich_header.hash.md5: + dashed_name: process-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: process.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword + process.pe.sections: + dashed_name: process-pe-sections + description: Data about sections of compiled binary PE + flat_name: process.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + process.pe.sections.chi2: + dashed_name: process-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: process.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + process.pe.sections.entropy: + dashed_name: process-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: process.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + process.pe.sections.flags: + dashed_name: process-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: process.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword + process.pe.sections.name: + dashed_name: process-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: process.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword + process.pe.sections.raw_size: + dashed_name: process-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: process.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + process.pe.sections.virtual_address: + dashed_name: process-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: process.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long process.pgid: dashed_name: process-pgid description: Identifier of the group of processes the process belongs to. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 451c03c849..ae2eb9f34b 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -568,28 +568,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } } @@ -926,28 +1062,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, @@ -2009,28 +2281,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, @@ -2085,28 +2493,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json index f791052452..5e7702fb92 100644 --- a/experimental/generated/elasticsearch/component/dll.json +++ b/experimental/generated/elasticsearch/component/dll.json @@ -67,28 +67,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } } diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json index 0ae17a7b92..5a5d4de0df 100644 --- a/experimental/generated/elasticsearch/component/file.json +++ b/experimental/generated/elasticsearch/component/file.json @@ -127,28 +127,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json index ed0330dafa..c5747746c8 100644 --- a/experimental/generated/elasticsearch/component/process.json +++ b/experimental/generated/elasticsearch/component/process.json @@ -188,28 +188,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, @@ -264,28 +400,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml index 77a0574348..9ed4b4da8c 100644 --- a/experimental/schemas/pe.yml +++ b/experimental/schemas/pe.yml @@ -3,3 +3,228 @@ fields: - name: original_file_name type: wildcard + + - name: icon.hash.dhash + level: extended + type: keyword + description: > + Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + + example: b806e17c8e330d82 + + - name: debug + level: extended + type: nested + short: Debug information + description: > + An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. + normalize: + - array + + - name: debug.offset + level: extended + type: keyword + description: Debug offset information. + example: 1296336 + + - name: debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + + - name: debug.type + level: extended + type: keyword + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + + - name: debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: "2020-11-05T17:25:47.000Z" + + - name: imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }' + + - name: sections + level: extended + short: Data about sections of the compiled binary PE + description: > + Data about sections of compiled binary PE + type: nested + normalize: + - array + + - name: sections.chi2 + level: extended + description: Chi-square probability distribution. + type: long + example: 3027194 + + - name: sections.virtual_address + level: extended + description: Virtual address available to the file. + type: long + format: bytes + example: 8192 + + - name: sections.entropy + level: extended + description: Measurement of entropy randomness in the file. + type: float + example: 6.24 + + - name: sections.flags + level: extended + description: Section flags of the file. + type: keyword + example: rx + + - name: sections.name + level: extended + description: Section names of the file. + type: keyword + example: .text, .data + + - name: sections.raw_size + level: extended + description: Size of the section or the dize of the initialized data on disk. + type: long + format: bytes + example: 198144 + + - name: resources + level: extended + type: nested + short: PE resource information + description: > + An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix. + normalize: + - array + + - name: resources.chi2 + level: extended + description: Chi-square probability distribution. + type: long + example: -1 + + - name: resources.filetype + level: extended + description: File type of the resources section. + type: keyword + example: Data + + - name: resources.entropy + level: extended + description: Measurement of entropy randomness in the resources section. + type: long + example: 0, 1 + + - name: resources.sha256 + level: extended + description: SHA256 hash of resources section. + type: keyword + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + + - name: resources.language + level: extended + description: Language identification. + type: keyword + example: "CHINESE SIMPLIFIED" + + - name: resources.type + level: extended + type: keyword + short: List of resource types. + description: > + Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + normalize: + - array + + - name: exports + level: extended + type: keyword + description: > + List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + normalize: + - array + + - name: creation_date + level: extended + short: Build or compile date. + description: > + Extracted when possible from the file's metadata. Indicates when it was + built or compiled. It can also be faked by malware creators. + type: date + example: "2020-11-05T17:25:47.000Z" + + - name: authentihash + level: extended + description: > + Authentihash of the PE file. + type: keyword + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + + - name: compile_timestamp + level: extended + description: > + Compile timestamp of the PE file. + type: date + example: "2020-11-05T17:25:47.000Z" + + - name: compiler.name + level: extended + type: keyword + description: > + Name of the compiler + example: Clang + + - name: compiler.version + level: extended + type: keyword + description: > + Version of the compiler. + example: 11.0.0 + + - name: rich_header.hash.md5 + level: extended + type: keyword + description: > + MD5 hash of the header for the PE file. + + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + + - name: entry_point + level: extended + description: > + Relative byte offset to the base of the PE file. + type: keyword + example: 25856 + + - name: machine_type + level: extended + description: > + Machine type of the PE file. + type: keyword + example: "Intel 386 or later, and compatibles" + + - name: packers + level: extended + description: > + List of packers and tools used. + type: keyword + example: '["ASPack v2.12", ".NET executable"]' + normalize: + - array From 16a60ec7f0eeb1e8fb62687cf5ba3709881fae79 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 17 Feb 2021 21:53:59 -0600 Subject: [PATCH 80/90] Add 2 fields to code_signature (#1269) (#1272) Co-authored-by: Yamin Tian <56367679+Trinity2019@users.noreply.github.com> --- CHANGELOG.next.md | 1 + code/go/ecs/code_signature.go | 10 ++ docs/field-details.asciidoc | 36 +++++ experimental/generated/beats/fields.ecs.yml | 100 ++++++++++++ experimental/generated/csv/fields.csv | 8 + experimental/generated/ecs/ecs_flat.yml | 120 ++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 148 ++++++++++++++++++ .../generated/elasticsearch/7/template.json | 32 ++++ .../elasticsearch/component/dll.json | 8 + .../elasticsearch/component/file.json | 8 + .../elasticsearch/component/process.json | 16 ++ generated/beats/fields.ecs.yml | 100 ++++++++++++ generated/csv/fields.csv | 8 + generated/ecs/ecs_flat.yml | 120 ++++++++++++++ generated/ecs/ecs_nested.yml | 148 ++++++++++++++++++ generated/elasticsearch/6/template.json | 32 ++++ generated/elasticsearch/7/template.json | 32 ++++ generated/elasticsearch/component/dll.json | 8 + generated/elasticsearch/component/file.json | 8 + .../elasticsearch/component/process.json | 16 ++ schemas/code_signature.yml | 22 +++ 21 files changed, 981 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 8fe7df718f..bb9e931c49 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -23,6 +23,7 @@ Thanks, you're awesome :-) --> * Added additional host fields. #1248 * Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229 * Extended `pe` fields added to experimental schema. #1256 +* Added `code_signature.team_id`, `code_signature.signing_id`. #1249 #### Improvements diff --git a/code/go/ecs/code_signature.go b/code/go/ecs/code_signature.go index df61c3b935..c13152941d 100644 --- a/code/go/ecs/code_signature.go +++ b/code/go/ecs/code_signature.go @@ -43,4 +43,14 @@ type CodeSignature struct { // validity or trust status. Leave unpopulated if the validity or trust of // the certificate was unchecked. Status string `ecs:"status"` + + // The team identifier used to sign the process. + // This is used to identify the team or vendor of a software product. The + // field is relevant to Apple *OS only. + TeamID string `ecs:"team_id"` + + // The identifier used to sign the process. + // This is used to identify the application manufactured by a software + // vendor. The field is relevant to Apple *OS only. + SigningID string `ecs:"signing_id"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 56ec0e8bbe..18fd6dd687 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -782,6 +782,24 @@ example: `true` // =============================================================== +| +[[field-code-signature-signing-id]] +<> + +| The identifier used to sign the process. + +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + +type: keyword + + + +example: `com.apple.xpc.proxy` + +| extended + +// =============================================================== + | [[field-code-signature-status]] <> @@ -816,6 +834,24 @@ example: `Microsoft Corporation` // =============================================================== +| +[[field-code-signature-team-id]] +<> + +| The team identifier used to sign the process. + +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + +type: keyword + + + +example: `EQHXZ8M8AV` + +| extended + +// =============================================================== + | [[field-code-signature-trusted]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index bad2a56e1b..1608380522 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -529,6 +529,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: status level: extended type: keyword @@ -547,6 +557,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: trusted level: extended type: boolean @@ -951,6 +971,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -969,6 +999,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -1846,6 +1886,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -1864,6 +1914,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -4196,6 +4256,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -4214,6 +4284,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -4343,6 +4423,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: parent.code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: parent.code_signature.status level: extended type: keyword @@ -4361,6 +4451,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: parent.code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: parent.code_signature.trusted level: extended type: boolean diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 0bde23311a..e21b1815e0 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -106,8 +106,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. 1.9.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.9.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. @@ -208,8 +210,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed. 1.9.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 1.9.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev+exp,true,file,file.created,date,extended,,,File creation time. @@ -457,8 +461,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 1.9.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. 1.9.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. @@ -477,8 +483,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 1.9.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 1.9.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index ee97af19e6..a166c0bc37 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1255,6 +1255,21 @@ dll.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +dll.code_signature.signing_id: + dashed_name: dll-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: dll.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword dll.code_signature.status: dashed_name: dll-code-signature-status description: 'Additional information about the certificate status. @@ -1283,6 +1298,21 @@ dll.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +dll.code_signature.team_id: + dashed_name: dll-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: dll.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword dll.code_signature.trusted: dashed_name: dll-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -2954,6 +2984,21 @@ file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +file.code_signature.signing_id: + dashed_name: file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword file.code_signature.status: dashed_name: file-code-signature-status description: 'Additional information about the certificate status. @@ -2982,6 +3027,21 @@ file.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +file.code_signature.team_id: + dashed_name: file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword file.code_signature.trusted: dashed_name: file-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -5977,6 +6037,21 @@ process.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.code_signature.signing_id: + dashed_name: process-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. @@ -6005,6 +6080,21 @@ process.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +process.code_signature.team_id: + dashed_name: process-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -6213,6 +6303,21 @@ process.parent.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.parent.code_signature.status: dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. @@ -6241,6 +6346,21 @@ process.parent.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.parent.code_signature.trusted: dashed_name: process-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 4ce5d1a3ea..5c39e8b51f 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -880,6 +880,20 @@ code_signature: normalize: [] short: Boolean to capture if a signature is present. type: boolean + code_signature.signing_id: + dashed_name: code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + short: The identifier used to sign the process. + type: keyword code_signature.status: dashed_name: code-signature-status description: 'Additional information about the certificate status. @@ -906,6 +920,20 @@ code_signature: normalize: [] short: Subject name of the code signer type: keyword + code_signature.team_id: + dashed_name: code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + short: The team identifier used to sign the process. + type: keyword code_signature.trusted: dashed_name: code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -1601,6 +1629,21 @@ dll: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + dll.code_signature.signing_id: + dashed_name: dll-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: dll.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword dll.code_signature.status: dashed_name: dll-code-signature-status description: 'Additional information about the certificate status. @@ -1629,6 +1672,21 @@ dll: original_fieldset: code_signature short: Subject name of the code signer type: keyword + dll.code_signature.team_id: + dashed_name: dll-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: dll.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword dll.code_signature.trusted: dashed_name: dll-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -3403,6 +3461,21 @@ file: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + file.code_signature.signing_id: + dashed_name: file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword file.code_signature.status: dashed_name: file-code-signature-status description: 'Additional information about the certificate status. @@ -3431,6 +3504,21 @@ file: original_fieldset: code_signature short: Subject name of the code signer type: keyword + file.code_signature.team_id: + dashed_name: file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword file.code_signature.trusted: dashed_name: file-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -7462,6 +7550,21 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.code_signature.signing_id: + dashed_name: process-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. @@ -7490,6 +7593,21 @@ process: original_fieldset: code_signature short: Subject name of the code signer type: keyword + process.code_signature.team_id: + dashed_name: process-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -7698,6 +7816,21 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.parent.code_signature.status: dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. @@ -7726,6 +7859,21 @@ process: original_fieldset: code_signature short: Subject name of the code signer type: keyword + process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.parent.code_signature.trusted: dashed_name: process-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index ae2eb9f34b..0d50f26547 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -514,6 +514,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -522,6 +526,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -955,6 +963,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -963,6 +975,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -2113,6 +2129,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -2121,6 +2141,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -2201,6 +2225,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -2209,6 +2237,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json index 5e7702fb92..73857865a8 100644 --- a/experimental/generated/elasticsearch/component/dll.json +++ b/experimental/generated/elasticsearch/component/dll.json @@ -13,6 +13,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -21,6 +25,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json index 5a5d4de0df..10df6dba11 100644 --- a/experimental/generated/elasticsearch/component/file.json +++ b/experimental/generated/elasticsearch/component/file.json @@ -20,6 +20,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -28,6 +32,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json index c5747746c8..6433bd60cf 100644 --- a/experimental/generated/elasticsearch/component/process.json +++ b/experimental/generated/elasticsearch/component/process.json @@ -20,6 +20,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -28,6 +32,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -108,6 +116,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -116,6 +128,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 4e6459e331..4c51a421e6 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -538,6 +538,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: status level: extended type: keyword @@ -556,6 +566,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: trusted level: extended type: boolean @@ -915,6 +935,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -933,6 +963,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -1606,6 +1646,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -1624,6 +1674,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -3562,6 +3622,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -3580,6 +3650,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -3712,6 +3792,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: parent.code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: parent.code_signature.status level: extended type: keyword @@ -3730,6 +3820,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: parent.code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: parent.code_signature.trusted level: extended type: boolean diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 8048de1277..ad9d04f737 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -103,8 +103,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. 1.9.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.9.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. @@ -174,8 +176,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. 1.9.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 1.9.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev,true,file,file.created,date,extended,,,File creation time. @@ -392,8 +396,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 1.9.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. 1.9.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. @@ -412,8 +418,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 1.9.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 1.9.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 9057ad0999..d1b62aa903 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1224,6 +1224,21 @@ dll.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +dll.code_signature.signing_id: + dashed_name: dll-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: dll.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword dll.code_signature.status: dashed_name: dll-code-signature-status description: 'Additional information about the certificate status. @@ -1252,6 +1267,21 @@ dll.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +dll.code_signature.team_id: + dashed_name: dll-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: dll.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword dll.code_signature.trusted: dashed_name: dll-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -2559,6 +2589,21 @@ file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +file.code_signature.signing_id: + dashed_name: file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword file.code_signature.status: dashed_name: file-code-signature-status description: 'Additional information about the certificate status. @@ -2587,6 +2632,21 @@ file.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +file.code_signature.team_id: + dashed_name: file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword file.code_signature.trusted: dashed_name: file-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -5233,6 +5293,21 @@ process.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.code_signature.signing_id: + dashed_name: process-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. @@ -5261,6 +5336,21 @@ process.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +process.code_signature.team_id: + dashed_name: process-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -5472,6 +5562,21 @@ process.parent.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.parent.code_signature.status: dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. @@ -5500,6 +5605,21 @@ process.parent.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.parent.code_signature.trusted: dashed_name: process-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 482bcf618a..24ddb6be63 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -889,6 +889,20 @@ code_signature: normalize: [] short: Boolean to capture if a signature is present. type: boolean + code_signature.signing_id: + dashed_name: code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + short: The identifier used to sign the process. + type: keyword code_signature.status: dashed_name: code-signature-status description: 'Additional information about the certificate status. @@ -915,6 +929,20 @@ code_signature: normalize: [] short: Subject name of the code signer type: keyword + code_signature.team_id: + dashed_name: code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + short: The team identifier used to sign the process. + type: keyword code_signature.trusted: dashed_name: code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -1548,6 +1576,21 @@ dll: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + dll.code_signature.signing_id: + dashed_name: dll-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: dll.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword dll.code_signature.status: dashed_name: dll-code-signature-status description: 'Additional information about the certificate status. @@ -1576,6 +1619,21 @@ dll: original_fieldset: code_signature short: Subject name of the code signer type: keyword + dll.code_signature.team_id: + dashed_name: dll-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: dll.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword dll.code_signature.trusted: dashed_name: dll-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -2985,6 +3043,21 @@ file: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + file.code_signature.signing_id: + dashed_name: file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword file.code_signature.status: dashed_name: file-code-signature-status description: 'Additional information about the certificate status. @@ -3013,6 +3086,21 @@ file: original_fieldset: code_signature short: Subject name of the code signer type: keyword + file.code_signature.team_id: + dashed_name: file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword file.code_signature.trusted: dashed_name: file-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -6357,6 +6445,21 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.code_signature.signing_id: + dashed_name: process-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. @@ -6385,6 +6488,21 @@ process: original_fieldset: code_signature short: Subject name of the code signer type: keyword + process.code_signature.team_id: + dashed_name: process-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -6596,6 +6714,21 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.parent.code_signature.status: dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. @@ -6624,6 +6757,21 @@ process: original_fieldset: code_signature short: Subject name of the code signer type: keyword + process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.parent.code_signature.trusted: dashed_name: process-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index b126de6d78..02dc242340 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -517,6 +517,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -525,6 +529,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -829,6 +837,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -837,6 +849,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1873,6 +1889,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1881,6 +1901,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1964,6 +1988,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1972,6 +2000,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index f70782f320..43a7d275c6 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -516,6 +516,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -524,6 +528,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -828,6 +836,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -836,6 +848,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1872,6 +1888,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1880,6 +1900,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1963,6 +1987,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1971,6 +1999,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json index 00e5bc3428..29a41ba873 100644 --- a/generated/elasticsearch/component/dll.json +++ b/generated/elasticsearch/component/dll.json @@ -13,6 +13,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -21,6 +25,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json index ddabf1bb60..fa355f9f35 100644 --- a/generated/elasticsearch/component/file.json +++ b/generated/elasticsearch/component/file.json @@ -20,6 +20,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -28,6 +32,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json index 4983b405b0..42f1df4ba3 100644 --- a/generated/elasticsearch/component/process.json +++ b/generated/elasticsearch/component/process.json @@ -20,6 +20,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -28,6 +32,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -111,6 +119,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -119,6 +131,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index 1b22434eb1..e86cf88827 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -57,3 +57,25 @@ This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. example: ERROR_UNTRUSTED_ROOT + + - name: team_id + level: extended + type: keyword + short: The team identifier used to sign the process. + description: > + The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. + The field is relevant to Apple *OS only. + example: EQHXZ8M8AV + + - name: signing_id + level: extended + type: keyword + short: The identifier used to sign the process. + description: > + The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only. + example: com.apple.xpc.proxy From cc9ad492e79f0eedbe8c61868b28aaafa66e1759 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 17 Feb 2021 22:03:56 -0600 Subject: [PATCH 81/90] Stage 3 changes for RFC 0007 - remove beta attribute (#1271) (#1273) --- CHANGELOG.next.md | 4 ++++ docs/field-details.asciidoc | 15 ++++++--------- experimental/generated/ecs/ecs_nested.yml | 12 +++--------- generated/ecs/ecs_nested.yml | 12 +++--------- schemas/user.yml | 3 --- 5 files changed, 16 insertions(+), 30 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index bb9e931c49..002b86386e 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -9,6 +9,10 @@ Thanks, you're awesome :-) --> ## Unreleased ### Schema Changes + +#### Improvements + +* `user.changes.*`, `user.effective.*`, and `user.target.*` field reuses are GA. #1271 ### Tooling and Artifact Changes #### Breaking changes diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 18fd6dd687..c9f424e409 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -7990,16 +7990,14 @@ Note also that the `user` fields may be used directly at the root of the events. // =============================================================== -| <>| beta:[ Reusing the user fields in this location is currently considered beta.] - -Fields to describe the user relevant to the event. +| <> +| Fields to describe the user relevant to the event. // =============================================================== -| <>| beta:[ Reusing the user fields in this location is currently considered beta.] - -Fields to describe the user relevant to the event. +| <> +| Fields to describe the user relevant to the event. // =============================================================== @@ -8010,9 +8008,8 @@ Fields to describe the user relevant to the event. // =============================================================== -| <>| beta:[ Reusing the user fields in this location is currently considered beta.] - -Fields to describe the user relevant to the event. +| <> +| Fields to describe the user relevant to the event. // =============================================================== diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 5c39e8b51f..cd00f781a0 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -12570,31 +12570,25 @@ user: full: source.user - as: target at: user - beta: Reusing the user fields in this location is currently considered beta. full: user.target - as: effective at: user - beta: Reusing the user fields in this location is currently considered beta. full: user.effective - as: changes at: user - beta: Reusing the user fields in this location is currently considered beta. full: user.changes top_level: true reused_here: - full: user.group schema_name: group short: User's group relevant to the event. - - beta: Reusing the user fields in this location is currently considered beta. - full: user.target + - full: user.target schema_name: user short: Fields to describe the user relevant to the event. - - beta: Reusing the user fields in this location is currently considered beta. - full: user.effective + - full: user.effective schema_name: user short: Fields to describe the user relevant to the event. - - beta: Reusing the user fields in this location is currently considered beta. - full: user.changes + - full: user.changes schema_name: user short: Fields to describe the user relevant to the event. short: Fields to describe the user relevant to the event. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 24ddb6be63..f1da0bd933 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -10777,31 +10777,25 @@ user: full: source.user - as: target at: user - beta: Reusing the user fields in this location is currently considered beta. full: user.target - as: effective at: user - beta: Reusing the user fields in this location is currently considered beta. full: user.effective - as: changes at: user - beta: Reusing the user fields in this location is currently considered beta. full: user.changes top_level: true reused_here: - full: user.group schema_name: group short: User's group relevant to the event. - - beta: Reusing the user fields in this location is currently considered beta. - full: user.target + - full: user.target schema_name: user short: Fields to describe the user relevant to the event. - - beta: Reusing the user fields in this location is currently considered beta. - full: user.effective + - full: user.effective schema_name: user short: Fields to describe the user relevant to the event. - - beta: Reusing the user fields in this location is currently considered beta. - full: user.changes + - full: user.changes schema_name: user short: Fields to describe the user relevant to the event. short: Fields to describe the user relevant to the event. diff --git a/schemas/user.yml b/schemas/user.yml index 0fe7a32411..ce5a45e816 100644 --- a/schemas/user.yml +++ b/schemas/user.yml @@ -20,13 +20,10 @@ - source - at: user as: target - beta: Reusing the user fields in this location is currently considered beta. - at: user as: effective - beta: Reusing the user fields in this location is currently considered beta. - at: user as: changes - beta: Reusing the user fields in this location is currently considered beta. # TODO Temporarily commented out to simplify initial rewrite review From 40ee8d0c01267ac55d1fccda730c21ff403eb468 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 17 Feb 2021 22:31:57 -0600 Subject: [PATCH 82/90] Stage 1 experimental changes for RFC 0008 - threat.indicator fields (#1268) (#1274) --- CHANGELOG.next.md | 1 + experimental/generated/beats/fields.ecs.yml | 813 +++++++++ experimental/generated/csv/fields.csv | 112 ++ experimental/generated/ecs/ecs_flat.yml | 1350 ++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 1607 +++++++++++++++-- .../generated/elasticsearch/7/template.json | 492 +++++ .../elasticsearch/component/threat.json | 492 +++++ experimental/schemas/as.yml | 4 + experimental/schemas/file.yml | 4 + experimental/schemas/geo.yml | 4 + experimental/schemas/hash.yml | 5 + experimental/schemas/pe.yml | 4 + experimental/schemas/registry.yml | 4 + experimental/schemas/threat.yml | 196 ++ 14 files changed, 4986 insertions(+), 102 deletions(-) create mode 100644 experimental/schemas/hash.yml create mode 100644 experimental/schemas/threat.yml diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 002b86386e..a3c3517daf 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -28,6 +28,7 @@ Thanks, you're awesome :-) --> * Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229 * Extended `pe` fields added to experimental schema. #1256 * Added `code_signature.team_id`, `code_signature.signing_id`. #1249 +* Add `threat.indicator` fields to experimental schema. #1268 #### Improvements diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 1608380522..b3a81e12e2 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -6075,6 +6075,819 @@ can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. example: MITRE ATT&CK + - name: indicator.as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + default_field: false + - name: indicator.as.organization.name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Organization name. + example: Google LLC + default_field: false + - name: indicator.confidence + level: extended + type: keyword + ignore_above: 1024 + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nExpected values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + default_field: false + - name: indicator.dataset + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the name of specific dataset from the intelligence source. + example: threatintel.abusemalware + default_field: false + - name: indicator.description + level: extended + type: wildcard + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + default_field: false + - name: indicator.domain + level: extended + type: keyword + ignore_above: 1024 + description: Identifies a threat indicator as a domain (irrespective of direction). + example: example.com + default_field: false + - name: indicator.email.address + level: extended + type: keyword + ignore_above: 1024 + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + default_field: false + - name: indicator.file.accessed + level: extended + type: date + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + default_field: false + - name: indicator.file.attributes + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + default_field: false + - name: indicator.file.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: indicator.file.code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false + - name: indicator.file.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: indicator.file.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: indicator.file.code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false + - name: indicator.file.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: indicator.file.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: indicator.file.created + level: extended + type: date + description: 'File creation time. + + Note that not all filesystems store the creation time.' + default_field: false + - name: indicator.file.ctime + level: extended + type: date + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + default_field: false + - name: indicator.file.device + level: extended + type: keyword + ignore_above: 1024 + description: Device that is the source of the file. + example: sda + default_field: false + - name: indicator.file.directory + level: extended + type: wildcard + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + default_field: false + - name: indicator.file.drive_letter + level: extended + type: keyword + ignore_above: 1 + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + default_field: false + - name: indicator.file.extension + level: extended + type: keyword + ignore_above: 1024 + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + default_field: false + - name: indicator.file.gid + level: extended + type: keyword + ignore_above: 1024 + description: Primary group ID (GID) of the file. + example: '1001' + default_field: false + - name: indicator.file.group + level: extended + type: keyword + ignore_above: 1024 + description: Primary group name of the file. + example: alice + default_field: false + - name: indicator.file.inode + level: extended + type: keyword + ignore_above: 1024 + description: Inode representing the file in the filesystem. + example: '256383' + default_field: false + - name: indicator.file.mime_type + level: extended + type: keyword + ignore_above: 1024 + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + default_field: false + - name: indicator.file.mode + level: extended + type: keyword + ignore_above: 1024 + description: Mode of the file in octal representation. + example: '0640' + default_field: false + - name: indicator.file.mtime + level: extended + type: date + description: Last time the file content was modified. + default_field: false + - name: indicator.file.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the file including the extension, without the directory. + example: example.png + default_field: false + - name: indicator.file.owner + level: extended + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice + default_field: false + - name: indicator.file.path + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + default_field: false + - name: indicator.file.size + level: extended + type: long + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + default_field: false + - name: indicator.file.target_path + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Target path for symlinks. + default_field: false + - name: indicator.file.type + level: extended + type: keyword + ignore_above: 1024 + description: File type (file, dir, or symlink). + example: file + default_field: false + - name: indicator.file.uid + level: extended + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + default_field: false + - name: indicator.first_seen + level: extended + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + default_field: false + - name: indicator.geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false + - name: indicator.geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + default_field: false + - name: indicator.geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + default_field: false + - name: indicator.geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + default_field: false + - name: indicator.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + default_field: false + - name: indicator.geo.name + level: extended + type: wildcard + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + default_field: false + - name: indicator.geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: indicator.geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + default_field: false + - name: indicator.geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + default_field: false + - name: indicator.geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false + - name: indicator.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: indicator.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: indicator.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: indicator.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: indicator.hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false + - name: indicator.ip + level: extended + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + default_field: false + - name: indicator.last_seen + level: extended + type: date + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.marking.tlp + level: extended + type: keyword + ignore_above: 1024 + description: "Traffic Light Protocol sharing markings.\nExpected values are:\n\ + \ * White\n * Green\n * Amber\n * Red" + example: White + default_field: false + - name: indicator.matched.atomic + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the atomic indicator that matched a local environment + endpoint or network event. + example: example.com + default_field: false + - name: indicator.matched.field + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + default_field: false + - name: indicator.matched.type + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the type of the atomic indicator that matched a local + environment endpoint or network event. + example: domain-name + default_field: false + - name: indicator.module + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the name of specific module this data is coming from. + example: threatintel + default_field: false + - name: indicator.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: indicator.pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false + - name: indicator.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: indicator.pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: indicator.pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: indicator.pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.pe.debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: indicator.pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: indicator.pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: indicator.pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false + - name: indicator.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: indicator.pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: indicator.pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false + - name: indicator.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: indicator.pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false + - name: indicator.pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: indicator.pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: indicator.pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false + - name: indicator.pe.original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: indicator.pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false + - name: indicator.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: indicator.pe.resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: indicator.pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: indicator.pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: indicator.pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: indicator.pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: indicator.pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: indicator.pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: indicator.pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: indicator.pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: indicator.pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: indicator.pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: indicator.pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: indicator.pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: indicator.pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: indicator.pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false + - name: indicator.port + level: extended + type: long + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + default_field: false + - name: indicator.provider + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the name of the intelligence provider. + example: VirusTotal + default_field: false + - name: indicator.registry.data.bytes + level: extended + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + default_field: false + - name: indicator.registry.data.strings + level: core + type: wildcard + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + default_field: false + - name: indicator.registry.data.type + level: core + type: keyword + ignore_above: 1024 + description: Standard registry type for encoding contents + example: REG_SZ + default_field: false + - name: indicator.registry.hive + level: core + type: keyword + ignore_above: 1024 + description: Abbreviated name for the hive. + example: HKLM + default_field: false + - name: indicator.registry.key + level: core + type: wildcard + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: indicator.registry.path + level: core + type: wildcard + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + default_field: false + - name: indicator.registry.value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + default_field: false + - name: indicator.scanner_stats + level: extended + type: long + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + default_field: false + - name: indicator.sightings + level: extended + type: long + description: Number of times this indicator was observed conducting threat activity. + example: 20 + default_field: false + - name: indicator.type + level: extended + type: keyword + ignore_above: 1024 + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Expected values\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ + \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n *\ + \ mutex\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ + \ * x-509-certificate" + example: ipv4-addr + default_field: false - name: tactic.id level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index e21b1815e0..b9b7569221 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -706,6 +706,118 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.9.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. 1.9.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +1.9.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0-dev+exp,true,threat,threat.indicator.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating +1.9.0-dev+exp,true,threat,threat.indicator.dataset,keyword,extended,,threatintel.abusemalware,Indicator dataset +1.9.0-dev+exp,true,threat,threat.indicator.description,wildcard,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +1.9.0-dev+exp,true,threat,threat.indicator.domain,keyword,extended,,example.com,Indicator domain name +1.9.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +1.9.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. +1.9.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time. +1.9.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.9.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +1.9.0-dev+exp,true,threat,threat.indicator.file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +1.9.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.9.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +1.9.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.9.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +1.9.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.9.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +1.9.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.9.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. +1.9.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.9.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. +1.9.0-dev+exp,true,threat,threat.indicator.file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.9.0-dev+exp,true,threat,threat.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.9.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. +1.9.0-dev+exp,true,threat,threat.indicator.file.target_path,wildcard,extended,,,Target path for symlinks. +1.9.0-dev+exp,true,threat,threat.indicator.file.target_path.text,text,extended,,,Target path for symlinks. +1.9.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.9.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.9.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +1.9.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. +1.9.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. +1.9.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. +1.9.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0-dev+exp,true,threat,threat.indicator.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. +1.9.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.9.0-dev+exp,true,threat,threat.indicator.hash.md5,keyword,extended,,,MD5 hash. +1.9.0-dev+exp,true,threat,threat.indicator.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0-dev+exp,true,threat,threat.indicator.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0-dev+exp,true,threat,threat.indicator.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0-dev+exp,true,threat,threat.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash. +1.9.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +1.9.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +1.9.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking +1.9.0-dev+exp,true,threat,threat.indicator.matched.atomic,keyword,extended,,example.com,Indicator atomic match +1.9.0-dev+exp,true,threat,threat.indicator.matched.field,keyword,extended,,file.hash.sha256,Indicator field match +1.9.0-dev+exp,true,threat,threat.indicator.matched.type,keyword,extended,,domain-name,Indicator type match +1.9.0-dev+exp,true,threat,threat.indicator.module,keyword,extended,,threatintel,Indicator module +1.9.0-dev+exp,true,threat,threat.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev+exp,true,threat,threat.indicator.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. +1.9.0-dev+exp,true,threat,threat.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev+exp,true,threat,threat.indicator.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.9.0-dev+exp,true,threat,threat.indicator.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.9.0-dev+exp,true,threat,threat.indicator.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.9.0-dev+exp,true,threat,threat.indicator.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.9.0-dev+exp,true,threat,threat.indicator.pe.debug,nested,extended,array,,Debug information +1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.size,long,extended,,816,Size of the debug information. +1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. +1.9.0-dev+exp,true,threat,threat.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev+exp,true,threat,threat.indicator.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.9.0-dev+exp,true,threat,threat.indicator.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE +1.9.0-dev+exp,true,threat,threat.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev+exp,true,threat,threat.indicator.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. +1.9.0-dev+exp,true,threat,threat.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev+exp,true,threat,threat.indicator.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.9.0-dev+exp,true,threat,threat.indicator.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. +1.9.0-dev+exp,true,threat,threat.indicator.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev+exp,true,threat,threat.indicator.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. +1.9.0-dev+exp,true,threat,threat.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev+exp,true,threat,threat.indicator.pe.resources,nested,extended,array,,PE resource information +1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.9.0-dev+exp,true,threat,threat.indicator.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.9.0-dev+exp,true,threat,threat.indicator.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. +1.9.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port +1.9.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,VirusTotal,Identifies the name of the intelligence provider. +1.9.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.9.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.9.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.9.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.9.0-dev+exp,true,threat,threat.indicator.registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.9.0-dev+exp,true,threat,threat.indicator.registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.9.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. +1.9.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics +1.9.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed +1.9.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator 1.9.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. 1.9.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. 1.9.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index a166c0bc37..f51f63864f 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -8975,6 +8975,1356 @@ threat.framework: normalize: [] short: Threat classification framework. type: keyword +threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name + level: extended + multi_fields: + - flat_name: threat.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard +threat.indicator.confidence: + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using STIX\ + \ confidence scales.\nExpected values:\n * Not Specified, None, Low, Medium,\ + \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ + \ (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence + ignore_above: 1024 + level: extended + name: indicator.confidence + normalize: [] + short: Indicator confidence rating + type: keyword +threat.indicator.dataset: + dashed_name: threat-indicator-dataset + description: Identifies the name of specific dataset from the intelligence source. + example: threatintel.abusemalware + flat_name: threat.indicator.dataset + ignore_above: 1024 + level: extended + name: indicator.dataset + normalize: [] + short: Indicator dataset + type: keyword +threat.indicator.description: + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: wildcard +threat.indicator.domain: + dashed_name: threat-indicator-domain + description: Identifies a threat indicator as a domain (irrespective of direction). + example: example.com + flat_name: threat.indicator.domain + ignore_above: 1024 + level: extended + name: indicator.domain + normalize: [] + short: Indicator domain name + type: keyword +threat.indicator.email.address: + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.indicator.email.address + ignore_above: 1024 + level: extended + name: indicator.email.address + normalize: [] + short: Indicator email address + type: keyword +threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date +threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, execute, + hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.indicator.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword +threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.indicator.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.indicator.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.indicator.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.indicator.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.indicator.file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword +threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.indicator.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.indicator.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +threat.indicator.file.created: + dashed_name: threat-indicator-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.indicator.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date +threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date +threat.indicator.file.device: + dashed_name: threat-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.indicator.file.device + ignore_above: 1024 + level: extended + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. + type: keyword +threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory + description: Directory where the file is located. It should include the drive letter, + when appropriate. + example: /home/alice + flat_name: threat.indicator.file.directory + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: wildcard +threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword +threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword +threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.indicator.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword +threat.indicator.file.group: + dashed_name: threat-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.indicator.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword +threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.indicator.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword +threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official + types], where possible. When more than one type is applicable, the most specific + type should be used. + flat_name: threat.indicator.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword +threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.indicator.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword +threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.indicator.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date +threat.indicator.file.name: + dashed_name: threat-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.indicator.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword +threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.indicator.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword +threat.indicator.file.path: + dashed_name: threat-indicator-file-path + description: Full path to the file, including the file name. It should include the + drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.indicator.file.path + level: extended + multi_fields: + - flat_name: threat.indicator.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: wildcard +threat.indicator.file.size: + dashed_name: threat-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.indicator.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long +threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.indicator.file.target_path + level: extended + multi_fields: + - flat_name: threat.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: wildcard +threat.indicator.file.type: + dashed_name: threat-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.indicator.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword +threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.indicator.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword +threat.indicator.first_seen: + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date +threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.indicator.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.indicator.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.indicator.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.indicator.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.indicator.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.indicator.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard +threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.indicator.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.indicator.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.indicator.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.indicator.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.indicator.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.indicator.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.indicator.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.indicator.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +threat.indicator.ip: + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip +threat.indicator.last_seen: + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date +threat.indicator.marking.tlp: + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nExpected values are:\n \ + \ * White\n * Green\n * Amber\n * Red" + example: White + flat_name: threat.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword +threat.indicator.matched.atomic: + dashed_name: threat-indicator-matched-atomic + description: Identifies the atomic indicator that matched a local environment endpoint + or network event. + example: example.com + flat_name: threat.indicator.matched.atomic + ignore_above: 1024 + level: extended + name: indicator.matched.atomic + normalize: [] + short: Indicator atomic match + type: keyword +threat.indicator.matched.field: + dashed_name: threat-indicator-matched-field + description: Identifies the field of the atomic indicator that matched a local environment + endpoint or network event. + example: file.hash.sha256 + flat_name: threat.indicator.matched.field + ignore_above: 1024 + level: extended + name: indicator.matched.field + normalize: [] + short: Indicator field match + type: keyword +threat.indicator.matched.type: + dashed_name: threat-indicator-matched-type + description: Identifies the type of the atomic indicator that matched a local environment + endpoint or network event. + example: domain-name + flat_name: threat.indicator.matched.type + ignore_above: 1024 + level: extended + name: indicator.matched.type + normalize: [] + short: Indicator type match + type: keyword +threat.indicator.module: + dashed_name: threat-indicator-module + description: Identifies the name of specific module this data is coming from. + example: threatintel + flat_name: threat.indicator.module + ignore_above: 1024 + level: extended + name: indicator.module + normalize: [] + short: Indicator module + type: keyword +threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.indicator.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +threat.indicator.pe.authentihash: + dashed_name: threat-indicator-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.indicator.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword +threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +threat.indicator.pe.compile_timestamp: + dashed_name: threat-indicator-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +threat.indicator.pe.compiler.name: + dashed_name: threat-indicator-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.indicator.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +threat.indicator.pe.compiler.version: + dashed_name: threat-indicator-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.indicator.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +threat.indicator.pe.creation_date: + dashed_name: threat-indicator-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +threat.indicator.pe.debug: + dashed_name: threat-indicator-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.indicator.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +threat.indicator.pe.debug.offset: + dashed_name: threat-indicator-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.indicator.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +threat.indicator.pe.debug.size: + dashed_name: threat-indicator-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.indicator.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +threat.indicator.pe.debug.timestamp: + dashed_name: threat-indicator-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +threat.indicator.pe.debug.type: + dashed_name: threat-indicator-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.indicator.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword +threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +threat.indicator.pe.entry_point: + dashed_name: threat-indicator-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.indicator.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +threat.indicator.pe.exports: + dashed_name: threat-indicator-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.indicator.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword +threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +threat.indicator.pe.icon.hash.dhash: + dashed_name: threat-indicator-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.indicator.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword +threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.indicator.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +threat.indicator.pe.imports: + dashed_name: threat-indicator-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.indicator.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +threat.indicator.pe.machine_type: + dashed_name: threat-indicator-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.indicator.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword +threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.indicator.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard +threat.indicator.pe.packers: + dashed_name: threat-indicator-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.indicator.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword +threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +threat.indicator.pe.resources: + dashed_name: threat-indicator-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.indicator.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested +threat.indicator.pe.resources.chi2: + dashed_name: threat-indicator-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.indicator.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.indicator.pe.resources.entropy: + dashed_name: threat-indicator-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.indicator.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +threat.indicator.pe.resources.filetype: + dashed_name: threat-indicator-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.indicator.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +threat.indicator.pe.resources.language: + dashed_name: threat-indicator-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.indicator.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +threat.indicator.pe.resources.sha256: + dashed_name: threat-indicator-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.indicator.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +threat.indicator.pe.resources.type: + dashed_name: threat-indicator-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.indicator.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +threat.indicator.pe.rich_header.hash.md5: + dashed_name: threat-indicator-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.indicator.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +threat.indicator.pe.sections: + dashed_name: threat-indicator-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.indicator.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +threat.indicator.pe.sections.chi2: + dashed_name: threat-indicator-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.indicator.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.indicator.pe.sections.entropy: + dashed_name: threat-indicator-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.indicator.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +threat.indicator.pe.sections.flags: + dashed_name: threat-indicator-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.indicator.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword +threat.indicator.pe.sections.name: + dashed_name: threat-indicator-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.indicator.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +threat.indicator.pe.sections.raw_size: + dashed_name: threat-indicator-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.indicator.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +threat.indicator.pe.sections.virtual_address: + dashed_name: threat-indicator-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.indicator.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long +threat.indicator.port: + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + flat_name: threat.indicator.port + level: extended + name: indicator.port + normalize: [] + short: Indicator port + type: long +threat.indicator.provider: + dashed_name: threat-indicator-provider + description: Identifies the name of the intelligence provider. + example: VirusTotal + flat_name: threat.indicator.provider + ignore_above: 1024 + level: extended + name: indicator.provider + normalize: [] + short: Identifies the name of the intelligence provider. + type: keyword +threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword +threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard +threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword +threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword +threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard +threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard +threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword +threat.indicator.scanner_stats: + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file or + URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long +threat.indicator.sightings: + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long +threat.indicator.type: + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Expected values\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ + \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ + \ * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ + \ * x-509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type + ignore_above: 1024 + level: extended + name: indicator.type + normalize: [] + short: Type of indicator + type: keyword threat.tactic.id: dashed_name: threat-tactic-id description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index cd00f781a0..46621ccf87 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -149,6 +149,9 @@ as: - as: as at: source full: source.as + - as: as + at: threat.indicator + full: threat.indicator.as top_level: false short: Fields describing an Autonomous System (Internet routing prefix). title: Autonomous System @@ -4599,6 +4602,12 @@ file: - file.pe - file.x509 prefix: file. + reusable: + expected: + - as: file + at: threat.indicator + full: threat.indicator.file + top_level: true reused_here: - full: file.code_signature schema_name: code_signature @@ -4773,6 +4782,9 @@ geo: - as: geo at: source full: source.geo + - as: geo + at: threat.indicator + full: threat.indicator.geo top_level: false short: Fields describing a location. title: Geo @@ -4901,6 +4913,9 @@ hash: - as: hash at: dll full: dll.hash + - as: hash + at: threat.indicator + full: threat.indicator.hash top_level: false short: Hashes, usually file hashes. title: Hash @@ -7499,6 +7514,9 @@ pe: - as: pe at: process full: process.pe + - as: pe + at: threat.indicator + full: threat.indicator.pe top_level: false short: These fields contain Windows Portable Executable (PE) metadata. title: PE Header @@ -9304,6 +9322,12 @@ registry: group: 2 name: registry prefix: registry. + reusable: + expected: + - as: registry + at: threat.indicator + full: threat.indicator.registry + top_level: true short: Fields related to Windows Registry operations. title: Registry type: group @@ -10629,137 +10653,1516 @@ threat: normalize: [] short: Threat classification framework. type: keyword - threat.tactic.id: - dashed_name: threat-tactic-id - description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ - \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" - example: TA0002 - flat_name: threat.tactic.id + threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name + level: extended + multi_fields: + - flat_name: threat.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard + threat.indicator.confidence: + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nExpected values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence ignore_above: 1024 level: extended - name: tactic.id - normalize: - - array - short: Threat tactic id. + name: indicator.confidence + normalize: [] + short: Indicator confidence rating type: keyword - threat.tactic.name: - dashed_name: threat-tactic-name - description: "Name of the type of tactic used by this threat. You can use a\ - \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" - example: Execution - flat_name: threat.tactic.name + threat.indicator.dataset: + dashed_name: threat-indicator-dataset + description: Identifies the name of specific dataset from the intelligence source. + example: threatintel.abusemalware + flat_name: threat.indicator.dataset ignore_above: 1024 level: extended - name: tactic.name - normalize: - - array - short: Threat tactic. + name: indicator.dataset + normalize: [] + short: Indicator dataset type: keyword - threat.tactic.reference: - dashed_name: threat-tactic-reference - description: "The reference url of tactic used by this threat. You can use a\ - \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ - \ )" - example: https://attack.mitre.org/tactics/TA0002/ - flat_name: threat.tactic.reference + threat.indicator.description: + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: wildcard + threat.indicator.domain: + dashed_name: threat-indicator-domain + description: Identifies a threat indicator as a domain (irrespective of direction). + example: example.com + flat_name: threat.indicator.domain ignore_above: 1024 level: extended - name: tactic.reference - normalize: - - array - short: Threat tactic URL reference. + name: indicator.domain + normalize: [] + short: Indicator domain name type: keyword - threat.technique.id: - dashed_name: threat-technique-id - description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ - \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" - example: T1059 - flat_name: threat.technique.id + threat.indicator.email.address: + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.indicator.email.address ignore_above: 1024 level: extended - name: technique.id - normalize: - - array - short: Threat technique id. + name: indicator.email.address + normalize: [] + short: Indicator email address type: keyword - threat.technique.name: - dashed_name: threat-technique-name - description: "The name of technique used by this threat. You can use a MITRE\ - \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" - example: Command and Scripting Interpreter - flat_name: threat.technique.name + threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date + threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.indicator.file.attributes ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.technique.name.text - name: text - norms: false - type: text - name: technique.name + name: attributes normalize: - array - short: Threat technique name. + original_fieldset: file + short: Array of file attributes. type: keyword - threat.technique.reference: - dashed_name: threat-technique-reference - description: "The reference url of technique used by this threat. You can use\ - \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" - example: https://attack.mitre.org/techniques/T1059/ - flat_name: threat.technique.reference + threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.indicator.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.indicator.file.code_signature.signing_id ignore_above: 1024 level: extended - name: technique.reference - normalize: - - array - short: Threat technique URL reference. + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. type: keyword - threat.technique.subtechnique.id: - dashed_name: threat-technique-subtechnique-id - description: "The full id of subtechnique used by this threat. You can use a\ - \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" - example: T1059.001 - flat_name: threat.technique.subtechnique.id + threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.indicator.file.code_signature.status ignore_above: 1024 level: extended - name: technique.subtechnique.id - normalize: - - array - short: Threat subtechnique id. + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. type: keyword - threat.technique.subtechnique.name: - dashed_name: threat-technique-subtechnique-name - description: "The name of subtechnique used by this threat. You can use a MITRE\ - \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" - example: PowerShell - flat_name: threat.technique.subtechnique.name + threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.indicator.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.indicator.file.code_signature.team_id ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.technique.subtechnique.name.text - name: text - norms: false - type: text - name: technique.subtechnique.name - normalize: - - array - short: Threat subtechnique name. + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. type: keyword - threat.technique.subtechnique.reference: - dashed_name: threat-technique-subtechnique-reference - description: "The reference url of subtechnique used by this threat. You can\ - \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" - example: https://attack.mitre.org/techniques/T1059/001/ - flat_name: threat.technique.subtechnique.reference + threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.indicator.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.indicator.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + threat.indicator.file.created: + dashed_name: threat-indicator-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.indicator.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date + threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date + threat.indicator.file.device: + dashed_name: threat-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.indicator.file.device ignore_above: 1024 level: extended - name: technique.subtechnique.reference - normalize: - - array - short: Threat subtechnique URL reference. + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. type: keyword - group: 2 - name: threat - prefix: threat. + threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + flat_name: threat.indicator.file.directory + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: wildcard + threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword + threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword + threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.indicator.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword + threat.indicator.file.group: + dashed_name: threat-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.indicator.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword + threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.indicator.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword + threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + flat_name: threat.indicator.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword + threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.indicator.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword + threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.indicator.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date + threat.indicator.file.name: + dashed_name: threat-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.indicator.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword + threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.indicator.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword + threat.indicator.file.path: + dashed_name: threat-indicator-file-path + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.indicator.file.path + level: extended + multi_fields: + - flat_name: threat.indicator.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: wildcard + threat.indicator.file.size: + dashed_name: threat-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.indicator.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long + threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.indicator.file.target_path + level: extended + multi_fields: + - flat_name: threat.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: wildcard + threat.indicator.file.type: + dashed_name: threat-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.indicator.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword + threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.indicator.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword + threat.indicator.first_seen: + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date + threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.indicator.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.indicator.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.indicator.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.indicator.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.indicator.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.indicator.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard + threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.indicator.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.indicator.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.indicator.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.indicator.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.indicator.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.indicator.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.indicator.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.indicator.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + threat.indicator.ip: + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip + threat.indicator.last_seen: + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date + threat.indicator.marking.tlp: + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nExpected values are:\n\ + \ * White\n * Green\n * Amber\n * Red" + example: White + flat_name: threat.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword + threat.indicator.matched.atomic: + dashed_name: threat-indicator-matched-atomic + description: Identifies the atomic indicator that matched a local environment + endpoint or network event. + example: example.com + flat_name: threat.indicator.matched.atomic + ignore_above: 1024 + level: extended + name: indicator.matched.atomic + normalize: [] + short: Indicator atomic match + type: keyword + threat.indicator.matched.field: + dashed_name: threat-indicator-matched-field + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + flat_name: threat.indicator.matched.field + ignore_above: 1024 + level: extended + name: indicator.matched.field + normalize: [] + short: Indicator field match + type: keyword + threat.indicator.matched.type: + dashed_name: threat-indicator-matched-type + description: Identifies the type of the atomic indicator that matched a local + environment endpoint or network event. + example: domain-name + flat_name: threat.indicator.matched.type + ignore_above: 1024 + level: extended + name: indicator.matched.type + normalize: [] + short: Indicator type match + type: keyword + threat.indicator.module: + dashed_name: threat-indicator-module + description: Identifies the name of specific module this data is coming from. + example: threatintel + flat_name: threat.indicator.module + ignore_above: 1024 + level: extended + name: indicator.module + normalize: [] + short: Indicator module + type: keyword + threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.indicator.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + threat.indicator.pe.authentihash: + dashed_name: threat-indicator-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.indicator.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword + threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + threat.indicator.pe.compile_timestamp: + dashed_name: threat-indicator-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + threat.indicator.pe.compiler.name: + dashed_name: threat-indicator-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.indicator.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + threat.indicator.pe.compiler.version: + dashed_name: threat-indicator-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.indicator.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + threat.indicator.pe.creation_date: + dashed_name: threat-indicator-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + threat.indicator.pe.debug: + dashed_name: threat-indicator-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.indicator.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + threat.indicator.pe.debug.offset: + dashed_name: threat-indicator-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.indicator.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + threat.indicator.pe.debug.size: + dashed_name: threat-indicator-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.indicator.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + threat.indicator.pe.debug.timestamp: + dashed_name: threat-indicator-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + threat.indicator.pe.debug.type: + dashed_name: threat-indicator-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.indicator.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword + threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + threat.indicator.pe.entry_point: + dashed_name: threat-indicator-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.indicator.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + threat.indicator.pe.exports: + dashed_name: threat-indicator-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.indicator.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword + threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + threat.indicator.pe.icon.hash.dhash: + dashed_name: threat-indicator-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.indicator.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword + threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.indicator.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + threat.indicator.pe.imports: + dashed_name: threat-indicator-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.indicator.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + threat.indicator.pe.machine_type: + dashed_name: threat-indicator-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.indicator.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword + threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.indicator.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard + threat.indicator.pe.packers: + dashed_name: threat-indicator-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.indicator.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword + threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + threat.indicator.pe.resources: + dashed_name: threat-indicator-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.indicator.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested + threat.indicator.pe.resources.chi2: + dashed_name: threat-indicator-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.indicator.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + threat.indicator.pe.resources.entropy: + dashed_name: threat-indicator-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.indicator.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + threat.indicator.pe.resources.filetype: + dashed_name: threat-indicator-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.indicator.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword + threat.indicator.pe.resources.language: + dashed_name: threat-indicator-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.indicator.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword + threat.indicator.pe.resources.sha256: + dashed_name: threat-indicator-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.indicator.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword + threat.indicator.pe.resources.type: + dashed_name: threat-indicator-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.indicator.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword + threat.indicator.pe.rich_header.hash.md5: + dashed_name: threat-indicator-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.indicator.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword + threat.indicator.pe.sections: + dashed_name: threat-indicator-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.indicator.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + threat.indicator.pe.sections.chi2: + dashed_name: threat-indicator-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.indicator.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + threat.indicator.pe.sections.entropy: + dashed_name: threat-indicator-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.indicator.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + threat.indicator.pe.sections.flags: + dashed_name: threat-indicator-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.indicator.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword + threat.indicator.pe.sections.name: + dashed_name: threat-indicator-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.indicator.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword + threat.indicator.pe.sections.raw_size: + dashed_name: threat-indicator-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.indicator.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + threat.indicator.pe.sections.virtual_address: + dashed_name: threat-indicator-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.indicator.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long + threat.indicator.port: + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.indicator.port + level: extended + name: indicator.port + normalize: [] + short: Indicator port + type: long + threat.indicator.provider: + dashed_name: threat-indicator-provider + description: Identifies the name of the intelligence provider. + example: VirusTotal + flat_name: threat.indicator.provider + ignore_above: 1024 + level: extended + name: indicator.provider + normalize: [] + short: Identifies the name of the intelligence provider. + type: keyword + threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword + threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard + threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword + threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword + threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard + threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard + threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword + threat.indicator.scanner_stats: + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long + threat.indicator.sightings: + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.indicator.type: + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Expected values\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ + \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n *\ + \ mutex\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ + \ * x-509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type + ignore_above: 1024 + level: extended + name: indicator.type + normalize: [] + short: Type of indicator + type: keyword + threat.tactic.id: + dashed_name: threat-tactic-id + description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ + \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" + example: TA0002 + flat_name: threat.tactic.id + ignore_above: 1024 + level: extended + name: tactic.id + normalize: + - array + short: Threat tactic id. + type: keyword + threat.tactic.name: + dashed_name: threat-tactic-name + description: "Name of the type of tactic used by this threat. You can use a\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" + example: Execution + flat_name: threat.tactic.name + ignore_above: 1024 + level: extended + name: tactic.name + normalize: + - array + short: Threat tactic. + type: keyword + threat.tactic.reference: + dashed_name: threat-tactic-reference + description: "The reference url of tactic used by this threat. You can use a\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ + \ )" + example: https://attack.mitre.org/tactics/TA0002/ + flat_name: threat.tactic.reference + ignore_above: 1024 + level: extended + name: tactic.reference + normalize: + - array + short: Threat tactic URL reference. + type: keyword + threat.technique.id: + dashed_name: threat-technique-id + description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: T1059 + flat_name: threat.technique.id + ignore_above: 1024 + level: extended + name: technique.id + normalize: + - array + short: Threat technique id. + type: keyword + threat.technique.name: + dashed_name: threat-technique-name + description: "The name of technique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: Command and Scripting Interpreter + flat_name: threat.technique.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.technique.name.text + name: text + norms: false + type: text + name: technique.name + normalize: + - array + short: Threat technique name. + type: keyword + threat.technique.reference: + dashed_name: threat-technique-reference + description: "The reference url of technique used by this threat. You can use\ + \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: https://attack.mitre.org/techniques/T1059/ + flat_name: threat.technique.reference + ignore_above: 1024 + level: extended + name: technique.reference + normalize: + - array + short: Threat technique URL reference. + type: keyword + threat.technique.subtechnique.id: + dashed_name: threat-technique-subtechnique-id + description: "The full id of subtechnique used by this threat. You can use a\ + \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: T1059.001 + flat_name: threat.technique.subtechnique.id + ignore_above: 1024 + level: extended + name: technique.subtechnique.id + normalize: + - array + short: Threat subtechnique id. + type: keyword + threat.technique.subtechnique.name: + dashed_name: threat-technique-subtechnique-name + description: "The name of subtechnique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: PowerShell + flat_name: threat.technique.subtechnique.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.technique.subtechnique.name.text + name: text + norms: false + type: text + name: technique.subtechnique.name + normalize: + - array + short: Threat subtechnique name. + type: keyword + threat.technique.subtechnique.reference: + dashed_name: threat-technique-subtechnique-reference + description: "The reference url of subtechnique used by this threat. You can\ + \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: https://attack.mitre.org/techniques/T1059/001/ + flat_name: threat.technique.subtechnique.reference + ignore_above: 1024 + level: extended + name: technique.subtechnique.reference + normalize: + - array + short: Threat subtechnique URL reference. + type: keyword + group: 2 + name: threat + nestings: + - threat.indicator.as + - threat.indicator.file + - threat.indicator.geo + - threat.indicator.hash + - threat.indicator.pe + - threat.indicator.registry + prefix: threat. + reused_here: + - full: threat.indicator.as + schema_name: as + short: Fields describing an Autonomous System (Internet routing prefix). + - full: threat.indicator.file + schema_name: file + short: Fields describing files. + - full: threat.indicator.geo + schema_name: geo + short: Fields describing a location. + - full: threat.indicator.hash + schema_name: hash + short: Hashes, usually file hashes. + - full: threat.indicator.pe + schema_name: pe + short: These fields contain Windows Portable Executable (PE) metadata. + - full: threat.indicator.registry + schema_name: registry + short: Fields related to Windows Registry operations. short: Fields to classify events and alerts according to a threat taxonomy. title: Threat type: group diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 0d50f26547..d0e3ddd29d 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -3223,6 +3223,498 @@ "ignore_above": 1024, "type": "keyword" }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "type": "wildcard" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "type": "wildcard" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "tactic": { "properties": { "id": { diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json index 1a7e47a34b..6c55f638e4 100644 --- a/experimental/generated/elasticsearch/component/threat.json +++ b/experimental/generated/elasticsearch/component/threat.json @@ -12,6 +12,498 @@ "ignore_above": 1024, "type": "keyword" }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "type": "wildcard" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "type": "wildcard" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "tactic": { "properties": { "id": { diff --git a/experimental/schemas/as.yml b/experimental/schemas/as.yml index 96cf45621c..8971f535d9 100644 --- a/experimental/schemas/as.yml +++ b/experimental/schemas/as.yml @@ -1,5 +1,9 @@ --- - name: as + reusable: + expected: + - threat.indicator + fields: - name: organization.name type: wildcard diff --git a/experimental/schemas/file.yml b/experimental/schemas/file.yml index f4938d38be..a53f9ea3ff 100644 --- a/experimental/schemas/file.yml +++ b/experimental/schemas/file.yml @@ -1,5 +1,9 @@ --- - name: file + reusable: + expected: + - threat.indicator + fields: - name: directory type: wildcard diff --git a/experimental/schemas/geo.yml b/experimental/schemas/geo.yml index d3445a5a2b..cbacd44b6e 100644 --- a/experimental/schemas/geo.yml +++ b/experimental/schemas/geo.yml @@ -1,5 +1,9 @@ --- - name: geo + reusable: + expected: + - threat.indicator + fields: - name: name type: wildcard diff --git a/experimental/schemas/hash.yml b/experimental/schemas/hash.yml new file mode 100644 index 0000000000..957ad48503 --- /dev/null +++ b/experimental/schemas/hash.yml @@ -0,0 +1,5 @@ +--- +- name: hash + reusable: + expected: + - threat.indicator diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml index 9ed4b4da8c..c5ef5c8349 100644 --- a/experimental/schemas/pe.yml +++ b/experimental/schemas/pe.yml @@ -1,5 +1,9 @@ --- - name: pe + reusable: + expected: + - threat.indicator + fields: - name: original_file_name type: wildcard diff --git a/experimental/schemas/registry.yml b/experimental/schemas/registry.yml index 66f6f6b22c..ac9ac7e66c 100644 --- a/experimental/schemas/registry.yml +++ b/experimental/schemas/registry.yml @@ -1,5 +1,9 @@ --- - name: registry + reusable: + expected: + - threat.indicator + fields: - name: key type: wildcard diff --git a/experimental/schemas/threat.yml b/experimental/schemas/threat.yml new file mode 100644 index 0000000000..523f909f06 --- /dev/null +++ b/experimental/schemas/threat.yml @@ -0,0 +1,196 @@ +--- +- name: threat + + fields: + + - name: indicator.first_seen + level: extended + type: date + short: Date/time indicator was first reported. + description: > + The date and time when intelligence source first reported sighting this indicator. + + example: "2020-11-05T17:25:47.000Z" + + - name: indicator.last_seen + level: extended + type: date + short: Date/time indicator was last reported. + description: > + The date and time when intelligence source last reported sighting this indicator. + + example: "2020-11-05T17:25:47.000Z" + + - name: indicator.sightings + level: extended + type: long + short: Number of times indicator observed + description: > + Number of times this indicator was observed conducting threat activity. + + example: 20 + + - name: indicator.type + level: extended + type: keyword + short: Type of indicator + description: > + Type of indicator as represented by Cyber Observable in STIX 2.0. + + Expected values + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * process + * software + * url + * user-account + * windows-registry-key + * x-509-certificate + + example: ipv4-addr + + - name: indicator.description + level: extended + type: wildcard + short: Indicator description + description: > + Describes the type of action conducted by the threat. + + example: IP x.x.x.x was observed delivering the Angler EK. + + - name: indicator.scanner_stats + level: extended + type: long + short: Scanner statistics + description: > + Count of AV/EDR vendors that successfully detected malicious file or URL. + + example: 4 + + - name: indicator.provider + level: extended + type: keyword + description: > + Identifies the name of the intelligence provider. + + example: VirusTotal + + - name: indicator.confidence + level: extended + type: keyword + short: Indicator confidence rating + description: > + Identifies the confidence rating assigned by the provider using STIX confidence scales. + + Expected values: + * Not Specified, None, Low, Medium, High + * 0-10 + * Admirality Scale (1-6) + * DNI Scale (5-95) + * WEP Scale (Impossible - Certain) + + example: High + + - name: indicator.module + level: extended + type: keyword + short: Indicator module + description: > + Identifies the name of specific module this data is coming from. + + example: threatintel + + - name: indicator.dataset + level: extended + type: keyword + short: Indicator dataset + description: > + Identifies the name of specific dataset from the intelligence source. + + example: threatintel.abusemalware + + - name: indicator.ip + level: extended + type: ip + short: Indicator IP address + description: > + Identifies a threat indicator as an IP address (irrespective of direction). + + example: 1.2.3.4 + + - name: indicator.domain + level: extended + type: keyword + short: Indicator domain name + description: > + Identifies a threat indicator as a domain (irrespective of direction). + + example: example.com + + - name: indicator.port + level: extended + type: long + short: Indicator port + description: > + Identifies a threat indicator as a port number (irrespective of direction). + + example: 443 + + - name: indicator.email.address + level: extended + type: keyword + short: Indicator email address + description: > + Identifies a threat indicator as an email address (irrespective of direction). + + example: phish@example.com + + - name: indicator.marking.tlp + level: extended + type: keyword + short: Indicator TLP marking + description: > + Traffic Light Protocol sharing markings. + + Expected values are: + * White + * Green + * Amber + * Red + + example: White + + - name: indicator.matched.atomic + level: extended + type: keyword + short: Indicator atomic match + description: > + Identifies the atomic indicator that matched a local environment endpoint or network event. + + example: example.com + + - name: indicator.matched.field + level: extended + type: keyword + short: Indicator field match + description: > + Identifies the field of the atomic indicator that matched a local environment endpoint or network event. + + example: file.hash.sha256 + + - name: indicator.matched.type + level: extended + type: keyword + short: Indicator type match + description: > + Identifies the type of the atomic indicator that matched a local environment endpoint or network event. + + example: domain-name From bdf980c7d9f32fb419136e2e81dd135209f8775f Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 17 Feb 2021 22:50:25 -0600 Subject: [PATCH 83/90] Stage 1 changes for RFC 0015 - add elf fieldset (#1261) (#1275) --- CHANGELOG.next.md | 1 + experimental/generated/beats/fields.ecs.yml | 702 +++++++++ experimental/generated/csv/fields.csv | 87 ++ experimental/generated/ecs/ecs_flat.yml | 960 +++++++++++++ experimental/generated/ecs/ecs_nested.yml | 1277 +++++++++++++++++ .../generated/elasticsearch/7/template.json | 351 +++++ .../elasticsearch/component/file.json | 117 ++ .../elasticsearch/component/process.json | 234 +++ experimental/schemas/elf.yml | 198 +++ 9 files changed, 3927 insertions(+) create mode 100644 experimental/schemas/elf.yml diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index a3c3517daf..9aaa6af2ea 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -29,6 +29,7 @@ Thanks, you're awesome :-) --> * Extended `pe` fields added to experimental schema. #1256 * Added `code_signature.team_id`, `code_signature.signing_id`. #1249 * Add `threat.indicator` fields to experimental schema. #1268 +* Add `elf` fieldset to experimental schema. #1261 #### Improvements diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index b3a81e12e2..13bd5d57ab 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1520,6 +1520,186 @@ ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 + - name: elf + title: ELF Header + group: 2 + description: These fields contain Linux Executable Linkable Format (ELF) metadata. + type: group + fields: + - name: architecture + level: extended + type: keyword + ignore_above: 1024 + description: Machine architecture of the ELF file. + example: x86-64 + default_field: false + - name: byte_order + level: extended + type: keyword + ignore_above: 1024 + description: Byte sequence of ELF file. + example: Little Endian, Big Endian + default_field: false + - name: cpu_type + level: extended + type: keyword + ignore_above: 1024 + description: CPU type of the ELF file. + example: Intel + default_field: false + - name: creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: header.abi_version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF Application Binary Interface (ABI). + default_field: false + - name: header.class + level: extended + type: keyword + ignore_above: 1024 + description: Header class of the ELF file. + default_field: false + - name: header.data + level: extended + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. + default_field: false + - name: header.entrypoint + level: extended + type: long + format: string + description: Header entrypoint of the ELF file. + default_field: false + - name: header.object_version + level: extended + type: keyword + ignore_above: 1024 + description: '"0x1" for original ELF files.' + default_field: false + - name: header.os_abi + level: extended + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. + default_field: false + - name: header.type + level: extended + type: keyword + ignore_above: 1024 + description: Header type of the ELF file. + default_field: false + - name: header.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF header. + default_field: false + - name: imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: sections + level: extended + type: nested + description: Section information of the ELF file. + default_field: false + - name: sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List flags. + default_field: false + - name: sections.name + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List name. + default_field: false + - name: sections.physical_offset + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List offset. + default_field: false + - name: sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: sections.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List type. + default_field: false + - name: sections.virtual_address + level: extended + type: long + format: string + description: ELF Section List virtual address. + default_field: false + - name: sections.virtual_size + level: extended + type: long + format: string + description: ELF Section List virtual size. + default_field: false + - name: segments + level: extended + type: nested + description: ELF object segment list. + default_field: false + - name: segments.sections + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment sections. + default_field: false + - name: segments.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment type. + default_field: false + - name: shared_libraries + level: extended + type: keyword + ignore_above: 1024 + description: List of shared libraries used by this ELF object + default_field: false + - name: telfhash + level: extended + type: keyword + ignore_above: 1024 + description: telfhash is symbol hash for ELF files, just like imphash is imports + hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + default_field: false - name: error title: Error group: 2 @@ -1977,6 +2157,180 @@ The value should be uppercase, and not include the colon.' example: C default_field: false + - name: elf.architecture + level: extended + type: keyword + ignore_above: 1024 + description: Machine architecture of the ELF file. + example: x86-64 + default_field: false + - name: elf.byte_order + level: extended + type: keyword + ignore_above: 1024 + description: Byte sequence of ELF file. + example: Little Endian, Big Endian + default_field: false + - name: elf.cpu_type + level: extended + type: keyword + ignore_above: 1024 + description: CPU type of the ELF file. + example: Intel + default_field: false + - name: elf.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: elf.exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: elf.header.abi_version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF Application Binary Interface (ABI). + default_field: false + - name: elf.header.class + level: extended + type: keyword + ignore_above: 1024 + description: Header class of the ELF file. + default_field: false + - name: elf.header.data + level: extended + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. + default_field: false + - name: elf.header.entrypoint + level: extended + type: long + format: string + description: Header entrypoint of the ELF file. + default_field: false + - name: elf.header.object_version + level: extended + type: keyword + ignore_above: 1024 + description: '"0x1" for original ELF files.' + default_field: false + - name: elf.header.os_abi + level: extended + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. + default_field: false + - name: elf.header.type + level: extended + type: keyword + ignore_above: 1024 + description: Header type of the ELF file. + default_field: false + - name: elf.header.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF header. + default_field: false + - name: elf.imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: elf.sections + level: extended + type: nested + description: Section information of the ELF file. + default_field: false + - name: elf.sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: elf.sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: elf.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List flags. + default_field: false + - name: elf.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List name. + default_field: false + - name: elf.sections.physical_offset + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List offset. + default_field: false + - name: elf.sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: elf.sections.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List type. + default_field: false + - name: elf.sections.virtual_address + level: extended + type: long + format: string + description: ELF Section List virtual address. + default_field: false + - name: elf.sections.virtual_size + level: extended + type: long + format: string + description: ELF Section List virtual size. + default_field: false + - name: elf.segments + level: extended + type: nested + description: ELF object segment list. + default_field: false + - name: elf.segments.sections + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment sections. + default_field: false + - name: elf.segments.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment type. + default_field: false + - name: elf.shared_libraries + level: extended + type: keyword + ignore_above: 1024 + description: List of shared libraries used by this ELF object + default_field: false + - name: elf.telfhash + level: extended + type: keyword + ignore_above: 1024 + description: telfhash is symbol hash for ELF files, just like imphash is imports + hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + default_field: false - name: extension level: extended type: keyword @@ -4325,6 +4679,180 @@ Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false + - name: elf.architecture + level: extended + type: keyword + ignore_above: 1024 + description: Machine architecture of the ELF file. + example: x86-64 + default_field: false + - name: elf.byte_order + level: extended + type: keyword + ignore_above: 1024 + description: Byte sequence of ELF file. + example: Little Endian, Big Endian + default_field: false + - name: elf.cpu_type + level: extended + type: keyword + ignore_above: 1024 + description: CPU type of the ELF file. + example: Intel + default_field: false + - name: elf.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: elf.exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: elf.header.abi_version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF Application Binary Interface (ABI). + default_field: false + - name: elf.header.class + level: extended + type: keyword + ignore_above: 1024 + description: Header class of the ELF file. + default_field: false + - name: elf.header.data + level: extended + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. + default_field: false + - name: elf.header.entrypoint + level: extended + type: long + format: string + description: Header entrypoint of the ELF file. + default_field: false + - name: elf.header.object_version + level: extended + type: keyword + ignore_above: 1024 + description: '"0x1" for original ELF files.' + default_field: false + - name: elf.header.os_abi + level: extended + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. + default_field: false + - name: elf.header.type + level: extended + type: keyword + ignore_above: 1024 + description: Header type of the ELF file. + default_field: false + - name: elf.header.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF header. + default_field: false + - name: elf.imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: elf.sections + level: extended + type: nested + description: Section information of the ELF file. + default_field: false + - name: elf.sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: elf.sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: elf.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List flags. + default_field: false + - name: elf.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List name. + default_field: false + - name: elf.sections.physical_offset + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List offset. + default_field: false + - name: elf.sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: elf.sections.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List type. + default_field: false + - name: elf.sections.virtual_address + level: extended + type: long + format: string + description: ELF Section List virtual address. + default_field: false + - name: elf.sections.virtual_size + level: extended + type: long + format: string + description: ELF Section List virtual size. + default_field: false + - name: elf.segments + level: extended + type: nested + description: ELF object segment list. + default_field: false + - name: elf.segments.sections + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment sections. + default_field: false + - name: elf.segments.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment type. + default_field: false + - name: elf.shared_libraries + level: extended + type: keyword + ignore_above: 1024 + description: List of shared libraries used by this ELF object + default_field: false + - name: elf.telfhash + level: extended + type: keyword + ignore_above: 1024 + description: telfhash is symbol hash for ELF files, just like imphash is imports + hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + default_field: false - name: entity_id level: extended type: keyword @@ -4492,6 +5020,180 @@ Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false + - name: parent.elf.architecture + level: extended + type: keyword + ignore_above: 1024 + description: Machine architecture of the ELF file. + example: x86-64 + default_field: false + - name: parent.elf.byte_order + level: extended + type: keyword + ignore_above: 1024 + description: Byte sequence of ELF file. + example: Little Endian, Big Endian + default_field: false + - name: parent.elf.cpu_type + level: extended + type: keyword + ignore_above: 1024 + description: CPU type of the ELF file. + example: Intel + default_field: false + - name: parent.elf.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: parent.elf.exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: parent.elf.header.abi_version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF Application Binary Interface (ABI). + default_field: false + - name: parent.elf.header.class + level: extended + type: keyword + ignore_above: 1024 + description: Header class of the ELF file. + default_field: false + - name: parent.elf.header.data + level: extended + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. + default_field: false + - name: parent.elf.header.entrypoint + level: extended + type: long + format: string + description: Header entrypoint of the ELF file. + default_field: false + - name: parent.elf.header.object_version + level: extended + type: keyword + ignore_above: 1024 + description: '"0x1" for original ELF files.' + default_field: false + - name: parent.elf.header.os_abi + level: extended + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. + default_field: false + - name: parent.elf.header.type + level: extended + type: keyword + ignore_above: 1024 + description: Header type of the ELF file. + default_field: false + - name: parent.elf.header.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF header. + default_field: false + - name: parent.elf.imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: parent.elf.sections + level: extended + type: nested + description: Section information of the ELF file. + default_field: false + - name: parent.elf.sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: parent.elf.sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: parent.elf.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List flags. + default_field: false + - name: parent.elf.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List name. + default_field: false + - name: parent.elf.sections.physical_offset + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List offset. + default_field: false + - name: parent.elf.sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: parent.elf.sections.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List type. + default_field: false + - name: parent.elf.sections.virtual_address + level: extended + type: long + format: string + description: ELF Section List virtual address. + default_field: false + - name: parent.elf.sections.virtual_size + level: extended + type: long + format: string + description: ELF Section List virtual size. + default_field: false + - name: parent.elf.segments + level: extended + type: nested + description: ELF object segment list. + default_field: false + - name: parent.elf.segments.sections + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment sections. + default_field: false + - name: parent.elf.segments.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment type. + default_field: false + - name: parent.elf.shared_libraries + level: extended + type: keyword + ignore_above: 1024 + description: List of shared libraries used by this ELF object + default_field: false + - name: parent.elf.telfhash + level: extended + type: keyword + ignore_above: 1024 + description: telfhash is symbol hash for ELF files, just like imphash is imports + hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + default_field: false - name: parent.entity_id level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index b9b7569221..4a34177817 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -221,6 +221,35 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. 1.9.0-dev+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. 1.9.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.9.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +1.9.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file. +1.9.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +1.9.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date. +1.9.0-dev+exp,true,file,file.elf.exports,flattened,extended,,,List of exported element names and types. +1.9.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +1.9.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file. +1.9.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header. +1.9.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +1.9.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +1.9.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +1.9.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file. +1.9.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header. +1.9.0-dev+exp,true,file,file.elf.imports,flattened,extended,,,List of imported element names and types. +1.9.0-dev+exp,true,file,file.elf.sections,nested,extended,,,Section information of the ELF file. +1.9.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +1.9.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +1.9.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +1.9.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name. +1.9.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +1.9.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +1.9.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type. +1.9.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +1.9.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +1.9.0-dev+exp,true,file,file.elf.segments,nested,extended,,,ELF object segment list. +1.9.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +1.9.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type. +1.9.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object +1.9.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF files 1.9.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." 1.9.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 1.9.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. @@ -469,6 +498,35 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.9.0-dev+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +1.9.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file. +1.9.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +1.9.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date. +1.9.0-dev+exp,true,process,process.elf.exports,flattened,extended,,,List of exported element names and types. +1.9.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +1.9.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file. +1.9.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header. +1.9.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +1.9.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +1.9.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +1.9.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file. +1.9.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header. +1.9.0-dev+exp,true,process,process.elf.imports,flattened,extended,,,List of imported element names and types. +1.9.0-dev+exp,true,process,process.elf.sections,nested,extended,,,Section information of the ELF file. +1.9.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +1.9.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +1.9.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags. +1.9.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name. +1.9.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +1.9.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +1.9.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type. +1.9.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +1.9.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +1.9.0-dev+exp,true,process,process.elf.segments,nested,extended,,,ELF object segment list. +1.9.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections. +1.9.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type. +1.9.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object +1.9.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF files 1.9.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. 1.9.0-dev+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. 1.9.0-dev+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. @@ -491,6 +549,35 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.9.0-dev+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +1.9.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file. +1.9.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +1.9.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date. +1.9.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,,,List of exported element names and types. +1.9.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +1.9.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file. +1.9.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header. +1.9.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +1.9.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +1.9.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +1.9.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file. +1.9.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header. +1.9.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,,,List of imported element names and types. +1.9.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,,,Section information of the ELF file. +1.9.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +1.9.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +1.9.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags. +1.9.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name. +1.9.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +1.9.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +1.9.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type. +1.9.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +1.9.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +1.9.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,,,ELF object segment list. +1.9.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections. +1.9.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type. +1.9.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object +1.9.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF files 1.9.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. 1.9.0-dev+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. 1.9.0-dev+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index f51f63864f..ed5d99cefc 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3130,6 +3130,326 @@ file.drive_letter: normalize: [] short: Drive letter where the file is located. type: keyword +file.elf.architecture: + dashed_name: file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +file.elf.byte_order: + dashed_name: file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian, Big Endian + flat_name: file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +file.elf.cpu_type: + dashed_name: file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +file.elf.creation_date: + dashed_name: file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +file.elf.exports: + dashed_name: file-elf-exports + description: List of exported element names and types. + flat_name: file.elf.exports + level: extended + name: exports + normalize: [] + original_fieldset: elf + short: List of exported element names and types. + type: flattened +file.elf.header.abi_version: + dashed_name: file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +file.elf.header.class: + dashed_name: file-elf-header-class + description: Header class of the ELF file. + flat_name: file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +file.elf.header.data: + dashed_name: file-elf-header-data + description: Data table of the ELF header. + flat_name: file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +file.elf.header.entrypoint: + dashed_name: file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +file.elf.header.object_version: + dashed_name: file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +file.elf.header.os_abi: + dashed_name: file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +file.elf.header.type: + dashed_name: file-elf-header-type + description: Header type of the ELF file. + flat_name: file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +file.elf.header.version: + dashed_name: file-elf-header-version + description: Version of the ELF header. + flat_name: file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +file.elf.imports: + dashed_name: file-elf-imports + description: List of imported element names and types. + flat_name: file.elf.imports + level: extended + name: imports + normalize: [] + original_fieldset: elf + short: List of imported element names and types. + type: flattened +file.elf.sections: + dashed_name: file-elf-sections + description: Section information of the ELF file. + flat_name: file.elf.sections + level: extended + name: sections + normalize: [] + original_fieldset: elf + short: Section information of the ELF file. + type: nested +file.elf.sections.chi2: + dashed_name: file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +file.elf.sections.entropy: + dashed_name: file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +file.elf.sections.flags: + dashed_name: file-elf-sections-flags + description: ELF Section List flags. + flat_name: file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +file.elf.sections.name: + dashed_name: file-elf-sections-name + description: ELF Section List name. + flat_name: file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +file.elf.sections.physical_offset: + dashed_name: file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +file.elf.sections.physical_size: + dashed_name: file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +file.elf.sections.type: + dashed_name: file-elf-sections-type + description: ELF Section List type. + flat_name: file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +file.elf.sections.virtual_address: + dashed_name: file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +file.elf.sections.virtual_size: + dashed_name: file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +file.elf.segments: + dashed_name: file-elf-segments + description: ELF object segment list. + flat_name: file.elf.segments + level: extended + name: segments + normalize: [] + original_fieldset: elf + short: ELF object segment list. + type: nested +file.elf.segments.sections: + dashed_name: file-elf-segments-sections + description: ELF object segment sections. + flat_name: file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +file.elf.segments.type: + dashed_name: file-elf-segments-type + description: ELF object segment type. + flat_name: file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +file.elf.shared_libraries: + dashed_name: file-elf-shared-libraries + description: List of shared libraries used by this ELF object + flat_name: file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object + type: keyword +file.elf.telfhash: + dashed_name: file-elf-telfhash + description: telfhash is symbol hash for ELF files, just like imphash is imports + hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + flat_name: file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF files + type: keyword file.extension: dashed_name: file-extension description: 'File extension, excluding the leading dot. @@ -6142,6 +6462,326 @@ process.command_line: normalize: [] short: Full command line that started the process. type: wildcard +process.elf.architecture: + dashed_name: process-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +process.elf.byte_order: + dashed_name: process-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian, Big Endian + flat_name: process.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +process.elf.cpu_type: + dashed_name: process-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +process.elf.creation_date: + dashed_name: process-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: process.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +process.elf.exports: + dashed_name: process-elf-exports + description: List of exported element names and types. + flat_name: process.elf.exports + level: extended + name: exports + normalize: [] + original_fieldset: elf + short: List of exported element names and types. + type: flattened +process.elf.header.abi_version: + dashed_name: process-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +process.elf.header.class: + dashed_name: process-elf-header-class + description: Header class of the ELF file. + flat_name: process.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +process.elf.header.data: + dashed_name: process-elf-header-data + description: Data table of the ELF header. + flat_name: process.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +process.elf.header.entrypoint: + dashed_name: process-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +process.elf.header.object_version: + dashed_name: process-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +process.elf.header.os_abi: + dashed_name: process-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +process.elf.header.type: + dashed_name: process-elf-header-type + description: Header type of the ELF file. + flat_name: process.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +process.elf.header.version: + dashed_name: process-elf-header-version + description: Version of the ELF header. + flat_name: process.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +process.elf.imports: + dashed_name: process-elf-imports + description: List of imported element names and types. + flat_name: process.elf.imports + level: extended + name: imports + normalize: [] + original_fieldset: elf + short: List of imported element names and types. + type: flattened +process.elf.sections: + dashed_name: process-elf-sections + description: Section information of the ELF file. + flat_name: process.elf.sections + level: extended + name: sections + normalize: [] + original_fieldset: elf + short: Section information of the ELF file. + type: nested +process.elf.sections.chi2: + dashed_name: process-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +process.elf.sections.entropy: + dashed_name: process-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +process.elf.sections.flags: + dashed_name: process-elf-sections-flags + description: ELF Section List flags. + flat_name: process.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +process.elf.sections.name: + dashed_name: process-elf-sections-name + description: ELF Section List name. + flat_name: process.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +process.elf.sections.physical_offset: + dashed_name: process-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +process.elf.sections.physical_size: + dashed_name: process-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +process.elf.sections.type: + dashed_name: process-elf-sections-type + description: ELF Section List type. + flat_name: process.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +process.elf.sections.virtual_address: + dashed_name: process-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +process.elf.sections.virtual_size: + dashed_name: process-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +process.elf.segments: + dashed_name: process-elf-segments + description: ELF object segment list. + flat_name: process.elf.segments + level: extended + name: segments + normalize: [] + original_fieldset: elf + short: ELF object segment list. + type: nested +process.elf.segments.sections: + dashed_name: process-elf-segments-sections + description: ELF object segment sections. + flat_name: process.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +process.elf.segments.type: + dashed_name: process-elf-segments-type + description: ELF object segment type. + flat_name: process.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +process.elf.shared_libraries: + dashed_name: process-elf-shared-libraries + description: List of shared libraries used by this ELF object + flat_name: process.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object + type: keyword +process.elf.telfhash: + dashed_name: process-elf-telfhash + description: telfhash is symbol hash for ELF files, just like imphash is imports + hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + flat_name: process.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF files + type: keyword process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. @@ -6409,6 +7049,326 @@ process.parent.command_line: original_fieldset: process short: Full command line that started the process. type: wildcard +process.parent.elf.architecture: + dashed_name: process-parent-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.parent.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +process.parent.elf.byte_order: + dashed_name: process-parent-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian, Big Endian + flat_name: process.parent.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +process.parent.elf.cpu_type: + dashed_name: process-parent-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.parent.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +process.parent.elf.creation_date: + dashed_name: process-parent-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: process.parent.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +process.parent.elf.exports: + dashed_name: process-parent-elf-exports + description: List of exported element names and types. + flat_name: process.parent.elf.exports + level: extended + name: exports + normalize: [] + original_fieldset: elf + short: List of exported element names and types. + type: flattened +process.parent.elf.header.abi_version: + dashed_name: process-parent-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.parent.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +process.parent.elf.header.class: + dashed_name: process-parent-elf-header-class + description: Header class of the ELF file. + flat_name: process.parent.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +process.parent.elf.header.data: + dashed_name: process-parent-elf-header-data + description: Data table of the ELF header. + flat_name: process.parent.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +process.parent.elf.header.entrypoint: + dashed_name: process-parent-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.parent.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +process.parent.elf.header.object_version: + dashed_name: process-parent-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.parent.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +process.parent.elf.header.os_abi: + dashed_name: process-parent-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.parent.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +process.parent.elf.header.type: + dashed_name: process-parent-elf-header-type + description: Header type of the ELF file. + flat_name: process.parent.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +process.parent.elf.header.version: + dashed_name: process-parent-elf-header-version + description: Version of the ELF header. + flat_name: process.parent.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +process.parent.elf.imports: + dashed_name: process-parent-elf-imports + description: List of imported element names and types. + flat_name: process.parent.elf.imports + level: extended + name: imports + normalize: [] + original_fieldset: elf + short: List of imported element names and types. + type: flattened +process.parent.elf.sections: + dashed_name: process-parent-elf-sections + description: Section information of the ELF file. + flat_name: process.parent.elf.sections + level: extended + name: sections + normalize: [] + original_fieldset: elf + short: Section information of the ELF file. + type: nested +process.parent.elf.sections.chi2: + dashed_name: process-parent-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.parent.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +process.parent.elf.sections.entropy: + dashed_name: process-parent-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +process.parent.elf.sections.flags: + dashed_name: process-parent-elf-sections-flags + description: ELF Section List flags. + flat_name: process.parent.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +process.parent.elf.sections.name: + dashed_name: process-parent-elf-sections-name + description: ELF Section List name. + flat_name: process.parent.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +process.parent.elf.sections.physical_offset: + dashed_name: process-parent-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.parent.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +process.parent.elf.sections.physical_size: + dashed_name: process-parent-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.parent.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +process.parent.elf.sections.type: + dashed_name: process-parent-elf-sections-type + description: ELF Section List type. + flat_name: process.parent.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +process.parent.elf.sections.virtual_address: + dashed_name: process-parent-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.parent.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +process.parent.elf.sections.virtual_size: + dashed_name: process-parent-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.parent.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +process.parent.elf.segments: + dashed_name: process-parent-elf-segments + description: ELF object segment list. + flat_name: process.parent.elf.segments + level: extended + name: segments + normalize: [] + original_fieldset: elf + short: ELF object segment list. + type: nested +process.parent.elf.segments.sections: + dashed_name: process-parent-elf-segments-sections + description: ELF object segment sections. + flat_name: process.parent.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +process.parent.elf.segments.type: + dashed_name: process-parent-elf-segments-type + description: ELF object segment type. + flat_name: process.parent.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +process.parent.elf.shared_libraries: + dashed_name: process-parent-elf-shared-libraries + description: List of shared libraries used by this ELF object + flat_name: process.parent.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object + type: keyword +process.parent.elf.telfhash: + dashed_name: process-parent-elf-telfhash + description: telfhash is symbol hash for ELF files, just like imphash is imports + hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + flat_name: process.parent.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF files + type: keyword process.parent.entity_id: dashed_name: process-parent-entity-id description: 'Unique identifier for the process. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 46621ccf87..235d539e8b 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2568,6 +2568,315 @@ ecs: short: Meta-information specific to ECS. title: ECS type: group +elf: + description: These fields contain Linux Executable Linkable Format (ELF) metadata. + fields: + elf.architecture: + dashed_name: elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + short: Machine architecture of the ELF file. + type: keyword + elf.byte_order: + dashed_name: elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian, Big Endian + flat_name: elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + short: Byte sequence of ELF file. + type: keyword + elf.cpu_type: + dashed_name: elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + short: CPU type of the ELF file. + type: keyword + elf.creation_date: + dashed_name: elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: elf.creation_date + level: extended + name: creation_date + normalize: [] + short: Build or compile date. + type: date + elf.exports: + dashed_name: elf-exports + description: List of exported element names and types. + flat_name: elf.exports + level: extended + name: exports + normalize: [] + short: List of exported element names and types. + type: flattened + elf.header.abi_version: + dashed_name: elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + elf.header.class: + dashed_name: elf-header-class + description: Header class of the ELF file. + flat_name: elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + short: Header class of the ELF file. + type: keyword + elf.header.data: + dashed_name: elf-header-data + description: Data table of the ELF header. + flat_name: elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + short: Data table of the ELF header. + type: keyword + elf.header.entrypoint: + dashed_name: elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + short: Header entrypoint of the ELF file. + type: long + elf.header.object_version: + dashed_name: elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + short: '"0x1" for original ELF files.' + type: keyword + elf.header.os_abi: + dashed_name: elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + elf.header.type: + dashed_name: elf-header-type + description: Header type of the ELF file. + flat_name: elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + short: Header type of the ELF file. + type: keyword + elf.header.version: + dashed_name: elf-header-version + description: Version of the ELF header. + flat_name: elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + short: Version of the ELF header. + type: keyword + elf.imports: + dashed_name: elf-imports + description: List of imported element names and types. + flat_name: elf.imports + level: extended + name: imports + normalize: [] + short: List of imported element names and types. + type: flattened + elf.sections: + dashed_name: elf-sections + description: Section information of the ELF file. + flat_name: elf.sections + level: extended + name: sections + normalize: [] + short: Section information of the ELF file. + type: nested + elf.sections.chi2: + dashed_name: elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + short: Chi-square probability distribution of the section. + type: long + elf.sections.entropy: + dashed_name: elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + short: Shannon entropy calculation from the section. + type: long + elf.sections.flags: + dashed_name: elf-sections-flags + description: ELF Section List flags. + flat_name: elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + short: ELF Section List flags. + type: keyword + elf.sections.name: + dashed_name: elf-sections-name + description: ELF Section List name. + flat_name: elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + short: ELF Section List name. + type: keyword + elf.sections.physical_offset: + dashed_name: elf-sections-physical-offset + description: ELF Section List offset. + flat_name: elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + short: ELF Section List offset. + type: keyword + elf.sections.physical_size: + dashed_name: elf-sections-physical-size + description: ELF Section List physical size. + flat_name: elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + short: ELF Section List physical size. + type: long + elf.sections.type: + dashed_name: elf-sections-type + description: ELF Section List type. + flat_name: elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + short: ELF Section List type. + type: keyword + elf.sections.virtual_address: + dashed_name: elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + short: ELF Section List virtual address. + type: long + elf.sections.virtual_size: + dashed_name: elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + short: ELF Section List virtual size. + type: long + elf.segments: + dashed_name: elf-segments + description: ELF object segment list. + flat_name: elf.segments + level: extended + name: segments + normalize: [] + short: ELF object segment list. + type: nested + elf.segments.sections: + dashed_name: elf-segments-sections + description: ELF object segment sections. + flat_name: elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + short: ELF object segment sections. + type: keyword + elf.segments.type: + dashed_name: elf-segments-type + description: ELF object segment type. + flat_name: elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + short: ELF object segment type. + type: keyword + elf.shared_libraries: + dashed_name: elf-shared-libraries + description: List of shared libraries used by this ELF object + flat_name: elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + short: List of shared libraries used by this ELF object + type: keyword + elf.telfhash: + dashed_name: elf-telfhash + description: telfhash is symbol hash for ELF files, just like imphash is imports + hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + flat_name: elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + short: telfhash hash for ELF files + type: keyword + group: 2 + name: elf + prefix: elf. + reusable: + expected: + - as: elf + at: file + full: file.elf + - as: elf + at: process + full: process.elf + top_level: false + short: These fields contain Linux Executable Linkable Format (ELF) metadata. + title: ELF Header + type: group error: description: 'These fields can represent errors of any kind. @@ -3610,6 +3919,326 @@ file: normalize: [] short: Drive letter where the file is located. type: keyword + file.elf.architecture: + dashed_name: file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + file.elf.byte_order: + dashed_name: file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian, Big Endian + flat_name: file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + file.elf.cpu_type: + dashed_name: file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + file.elf.creation_date: + dashed_name: file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + file.elf.exports: + dashed_name: file-elf-exports + description: List of exported element names and types. + flat_name: file.elf.exports + level: extended + name: exports + normalize: [] + original_fieldset: elf + short: List of exported element names and types. + type: flattened + file.elf.header.abi_version: + dashed_name: file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + file.elf.header.class: + dashed_name: file-elf-header-class + description: Header class of the ELF file. + flat_name: file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + file.elf.header.data: + dashed_name: file-elf-header-data + description: Data table of the ELF header. + flat_name: file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + file.elf.header.entrypoint: + dashed_name: file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + file.elf.header.object_version: + dashed_name: file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + file.elf.header.os_abi: + dashed_name: file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + file.elf.header.type: + dashed_name: file-elf-header-type + description: Header type of the ELF file. + flat_name: file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + file.elf.header.version: + dashed_name: file-elf-header-version + description: Version of the ELF header. + flat_name: file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + file.elf.imports: + dashed_name: file-elf-imports + description: List of imported element names and types. + flat_name: file.elf.imports + level: extended + name: imports + normalize: [] + original_fieldset: elf + short: List of imported element names and types. + type: flattened + file.elf.sections: + dashed_name: file-elf-sections + description: Section information of the ELF file. + flat_name: file.elf.sections + level: extended + name: sections + normalize: [] + original_fieldset: elf + short: Section information of the ELF file. + type: nested + file.elf.sections.chi2: + dashed_name: file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + file.elf.sections.entropy: + dashed_name: file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + file.elf.sections.flags: + dashed_name: file-elf-sections-flags + description: ELF Section List flags. + flat_name: file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + file.elf.sections.name: + dashed_name: file-elf-sections-name + description: ELF Section List name. + flat_name: file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + file.elf.sections.physical_offset: + dashed_name: file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + file.elf.sections.physical_size: + dashed_name: file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + file.elf.sections.type: + dashed_name: file-elf-sections-type + description: ELF Section List type. + flat_name: file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + file.elf.sections.virtual_address: + dashed_name: file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + file.elf.sections.virtual_size: + dashed_name: file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + file.elf.segments: + dashed_name: file-elf-segments + description: ELF object segment list. + flat_name: file.elf.segments + level: extended + name: segments + normalize: [] + original_fieldset: elf + short: ELF object segment list. + type: nested + file.elf.segments.sections: + dashed_name: file-elf-segments-sections + description: ELF object segment sections. + flat_name: file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + file.elf.segments.type: + dashed_name: file-elf-segments-type + description: ELF object segment type. + flat_name: file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + file.elf.shared_libraries: + dashed_name: file-elf-shared-libraries + description: List of shared libraries used by this ELF object + flat_name: file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object + type: keyword + file.elf.telfhash: + dashed_name: file-elf-telfhash + description: telfhash is symbol hash for ELF files, just like imphash is imports + hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + flat_name: file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF files + type: keyword file.extension: dashed_name: file-extension description: 'File extension, excluding the leading dot. @@ -4598,6 +5227,7 @@ file: name: file nestings: - file.code_signature + - file.elf - file.hash - file.pe - file.x509 @@ -4621,6 +5251,9 @@ file: - full: file.x509 schema_name: x509 short: These fields contain x509 certificate metadata. + - full: file.elf + schema_name: elf + short: These fields contain Linux Executable Linkable Format (ELF) metadata. short: Fields describing files. title: File type: group @@ -7673,6 +8306,326 @@ process: normalize: [] short: Full command line that started the process. type: wildcard + process.elf.architecture: + dashed_name: process-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + process.elf.byte_order: + dashed_name: process-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian, Big Endian + flat_name: process.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + process.elf.cpu_type: + dashed_name: process-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + process.elf.creation_date: + dashed_name: process-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: process.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + process.elf.exports: + dashed_name: process-elf-exports + description: List of exported element names and types. + flat_name: process.elf.exports + level: extended + name: exports + normalize: [] + original_fieldset: elf + short: List of exported element names and types. + type: flattened + process.elf.header.abi_version: + dashed_name: process-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + process.elf.header.class: + dashed_name: process-elf-header-class + description: Header class of the ELF file. + flat_name: process.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + process.elf.header.data: + dashed_name: process-elf-header-data + description: Data table of the ELF header. + flat_name: process.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + process.elf.header.entrypoint: + dashed_name: process-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + process.elf.header.object_version: + dashed_name: process-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + process.elf.header.os_abi: + dashed_name: process-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + process.elf.header.type: + dashed_name: process-elf-header-type + description: Header type of the ELF file. + flat_name: process.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + process.elf.header.version: + dashed_name: process-elf-header-version + description: Version of the ELF header. + flat_name: process.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + process.elf.imports: + dashed_name: process-elf-imports + description: List of imported element names and types. + flat_name: process.elf.imports + level: extended + name: imports + normalize: [] + original_fieldset: elf + short: List of imported element names and types. + type: flattened + process.elf.sections: + dashed_name: process-elf-sections + description: Section information of the ELF file. + flat_name: process.elf.sections + level: extended + name: sections + normalize: [] + original_fieldset: elf + short: Section information of the ELF file. + type: nested + process.elf.sections.chi2: + dashed_name: process-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + process.elf.sections.entropy: + dashed_name: process-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + process.elf.sections.flags: + dashed_name: process-elf-sections-flags + description: ELF Section List flags. + flat_name: process.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + process.elf.sections.name: + dashed_name: process-elf-sections-name + description: ELF Section List name. + flat_name: process.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + process.elf.sections.physical_offset: + dashed_name: process-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + process.elf.sections.physical_size: + dashed_name: process-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + process.elf.sections.type: + dashed_name: process-elf-sections-type + description: ELF Section List type. + flat_name: process.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + process.elf.sections.virtual_address: + dashed_name: process-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + process.elf.sections.virtual_size: + dashed_name: process-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + process.elf.segments: + dashed_name: process-elf-segments + description: ELF object segment list. + flat_name: process.elf.segments + level: extended + name: segments + normalize: [] + original_fieldset: elf + short: ELF object segment list. + type: nested + process.elf.segments.sections: + dashed_name: process-elf-segments-sections + description: ELF object segment sections. + flat_name: process.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + process.elf.segments.type: + dashed_name: process-elf-segments-type + description: ELF object segment type. + flat_name: process.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + process.elf.shared_libraries: + dashed_name: process-elf-shared-libraries + description: List of shared libraries used by this ELF object + flat_name: process.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object + type: keyword + process.elf.telfhash: + dashed_name: process-elf-telfhash + description: telfhash is symbol hash for ELF files, just like imphash is imports + hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + flat_name: process.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF files + type: keyword process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. @@ -7940,6 +8893,326 @@ process: original_fieldset: process short: Full command line that started the process. type: wildcard + process.parent.elf.architecture: + dashed_name: process-parent-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.parent.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + process.parent.elf.byte_order: + dashed_name: process-parent-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian, Big Endian + flat_name: process.parent.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + process.parent.elf.cpu_type: + dashed_name: process-parent-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.parent.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + process.parent.elf.creation_date: + dashed_name: process-parent-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: process.parent.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + process.parent.elf.exports: + dashed_name: process-parent-elf-exports + description: List of exported element names and types. + flat_name: process.parent.elf.exports + level: extended + name: exports + normalize: [] + original_fieldset: elf + short: List of exported element names and types. + type: flattened + process.parent.elf.header.abi_version: + dashed_name: process-parent-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.parent.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + process.parent.elf.header.class: + dashed_name: process-parent-elf-header-class + description: Header class of the ELF file. + flat_name: process.parent.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + process.parent.elf.header.data: + dashed_name: process-parent-elf-header-data + description: Data table of the ELF header. + flat_name: process.parent.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + process.parent.elf.header.entrypoint: + dashed_name: process-parent-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.parent.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + process.parent.elf.header.object_version: + dashed_name: process-parent-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.parent.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + process.parent.elf.header.os_abi: + dashed_name: process-parent-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.parent.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + process.parent.elf.header.type: + dashed_name: process-parent-elf-header-type + description: Header type of the ELF file. + flat_name: process.parent.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + process.parent.elf.header.version: + dashed_name: process-parent-elf-header-version + description: Version of the ELF header. + flat_name: process.parent.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + process.parent.elf.imports: + dashed_name: process-parent-elf-imports + description: List of imported element names and types. + flat_name: process.parent.elf.imports + level: extended + name: imports + normalize: [] + original_fieldset: elf + short: List of imported element names and types. + type: flattened + process.parent.elf.sections: + dashed_name: process-parent-elf-sections + description: Section information of the ELF file. + flat_name: process.parent.elf.sections + level: extended + name: sections + normalize: [] + original_fieldset: elf + short: Section information of the ELF file. + type: nested + process.parent.elf.sections.chi2: + dashed_name: process-parent-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.parent.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + process.parent.elf.sections.entropy: + dashed_name: process-parent-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + process.parent.elf.sections.flags: + dashed_name: process-parent-elf-sections-flags + description: ELF Section List flags. + flat_name: process.parent.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + process.parent.elf.sections.name: + dashed_name: process-parent-elf-sections-name + description: ELF Section List name. + flat_name: process.parent.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + process.parent.elf.sections.physical_offset: + dashed_name: process-parent-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.parent.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + process.parent.elf.sections.physical_size: + dashed_name: process-parent-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.parent.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + process.parent.elf.sections.type: + dashed_name: process-parent-elf-sections-type + description: ELF Section List type. + flat_name: process.parent.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + process.parent.elf.sections.virtual_address: + dashed_name: process-parent-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.parent.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + process.parent.elf.sections.virtual_size: + dashed_name: process-parent-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.parent.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + process.parent.elf.segments: + dashed_name: process-parent-elf-segments + description: ELF object segment list. + flat_name: process.parent.elf.segments + level: extended + name: segments + normalize: [] + original_fieldset: elf + short: ELF object segment list. + type: nested + process.parent.elf.segments.sections: + dashed_name: process-parent-elf-segments-sections + description: ELF object segment sections. + flat_name: process.parent.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + process.parent.elf.segments.type: + dashed_name: process-parent-elf-segments-type + description: ELF object segment type. + flat_name: process.parent.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + process.parent.elf.shared_libraries: + dashed_name: process-parent-elf-shared-libraries + description: List of shared libraries used by this ELF object + flat_name: process.parent.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object + type: keyword + process.parent.elf.telfhash: + dashed_name: process-parent-elf-telfhash + description: telfhash is symbol hash for ELF files, just like imphash is imports + hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + flat_name: process.parent.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF files + type: keyword process.parent.entity_id: dashed_name: process-parent-entity-id description: 'Unique identifier for the process. @@ -9204,6 +10477,7 @@ process: name: process nestings: - process.code_signature + - process.elf - process.hash - process.parent - process.pe @@ -9224,6 +10498,9 @@ process: - full: process.pe schema_name: pe short: These fields contain Windows Portable Executable (PE) metadata. + - full: process.elf + schema_name: elf + short: These fields contain Linux Executable Linkable Format (ELF) metadata. - full: process.parent schema_name: process short: These fields contain information about a process. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index d0e3ddd29d..ccc3dda09f 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -1004,6 +1004,123 @@ "ignore_above": 1, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "extension": { "ignore_above": 1024, "type": "keyword" @@ -2162,6 +2279,123 @@ }, "type": "wildcard" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "entity_id": { "ignore_above": 1024, "type": "keyword" @@ -2258,6 +2492,123 @@ }, "type": "wildcard" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "entity_id": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json index 10df6dba11..d829ebfd29 100644 --- a/experimental/generated/elasticsearch/component/file.json +++ b/experimental/generated/elasticsearch/component/file.json @@ -61,6 +61,123 @@ "ignore_above": 1, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "extension": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json index 6433bd60cf..75adf5c85c 100644 --- a/experimental/generated/elasticsearch/component/process.json +++ b/experimental/generated/elasticsearch/component/process.json @@ -53,6 +53,123 @@ }, "type": "wildcard" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "entity_id": { "ignore_above": 1024, "type": "keyword" @@ -149,6 +266,123 @@ }, "type": "wildcard" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "entity_id": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/schemas/elf.yml b/experimental/schemas/elf.yml new file mode 100644 index 0000000000..82b17da920 --- /dev/null +++ b/experimental/schemas/elf.yml @@ -0,0 +1,198 @@ +--- +- name: elf + title: ELF Header + group: 2 + description: > + These fields contain Linux Executable Linkable Format (ELF) metadata. + type: group + reusable: + top_level: false + expected: + - file + - process + fields: + - name: creation_date + short: Build or compile date. + description: > + Extracted when possible from the file's metadata. Indicates when it was + built or compiled. It can also be faked by malware creators. + type: date + level: extended + + - name: architecture + description: > + Machine architecture of the ELF file. + type: keyword + level: extended + example: x86-64 + + - name: byte_order + description: > + Byte sequence of ELF file. + type: keyword + level: extended + example: Little Endian, Big Endian + + - name: cpu_type + description: > + CPU type of the ELF file. + type: keyword + level: extended + example: Intel + + - name: header.class + description: > + Header class of the ELF file. + type: keyword + level: extended + + - name: header.data + description: > + Data table of the ELF header. + type: keyword + level: extended + + - name: header.os_abi + description: > + Application Binary Interface (ABI) of the Linux OS. + type: keyword + level: extended + + - name: header.type + description: > + Header type of the ELF file. + type: keyword + level: extended + + - name: header.version + description: > + Version of the ELF header. + type: keyword + level: extended + + - name: header.abi_version + type: keyword + level: extended + description: > + Version of the ELF Application Binary Interface (ABI). + + - name: header.entrypoint + format: string + level: extended + type: long + description: > + Header entrypoint of the ELF file. + + - name: header.object_version + type: keyword + level: extended + description: > + "0x1" for original ELF files. + + - name: sections + description: > + Section information of the ELF file. + type: nested + level: extended + + - name: sections.flags + description: > + ELF Section List flags. + type: keyword + level: extended + + - name: sections.name + description: > + ELF Section List name. + type: keyword + level: extended + + - name: sections.physical_offset + description: > + ELF Section List offset. + type: keyword + level: extended + + - name: sections.type + description: > + ELF Section List type. + type: keyword + level: extended + + - name: sections.physical_size + description: > + ELF Section List physical size. + format: bytes + type: long + level: extended + + - name: sections.virtual_address + description: > + ELF Section List virtual address. + format: string + type: long + level: extended + + - name: sections.virtual_size + description: > + ELF Section List virtual size. + format: string + type: long + level: extended + + - name: sections.entropy + description: > + Shannon entropy calculation from the section. + format: number + type: long + level: extended + + - name: sections.chi2 + description: > + Chi-square probability distribution of the section. + format: number + type: long + level: extended + + - name: exports + description: > + List of exported element names and types. + level: extended + type: flattened + + - name: imports + description: > + List of imported element names and types. + type: flattened + level: extended + + - name: shared_libraries + description: > + List of shared libraries used by this ELF object + type: keyword + level: extended + normalize: + - array + + - name: telfhash + short: telfhash hash for ELF files + description: > + telfhash is symbol hash for ELF files, just like imphash is imports hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + type: keyword + level: extended + + - name: segments + description: > + ELF object segment list. + type: nested + level: extended + + - name: segments.type + description: ELF object segment type. + type: keyword + level: extended + + - name: segments.sections + description: ELF object segment sections. + type: keyword + level: extended From 31bbdd6daf98fe9cf516667141e7e5a73e0ab82b Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 18 Feb 2021 11:32:43 -0600 Subject: [PATCH 84/90] Cut 1.9 FF CHANGELOG.next.md (#1277) --- CHANGELOG.next.md | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 9aaa6af2ea..e7ab356556 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -10,9 +10,14 @@ Thanks, you're awesome :-) --> ### Schema Changes +#### Breaking changes + +#### Bugfixes + +#### Added + #### Improvements -* `user.changes.*`, `user.effective.*`, and `user.target.*` field reuses are GA. #1271 ### Tooling and Artifact Changes #### Breaking changes @@ -21,22 +26,33 @@ Thanks, you're awesome :-) --> #### Added -* Added `http.request.id`. #1208 -* Added `cloud.service.name`. #1204 +#### Improvements + +#### Deprecated + + +## 1.9.0 (Feature Freeze) + +### Schema Changes + +#### Added + * Added `hash.ssdeep`. #1169 -* Added additional host fields. #1248 +* Added `cloud.service.name`. #1204 +* Added `http.request.id`. #1208 +* `data_stream.*` fieldset introduced in experimental schema and artifacts. #1215 * Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229 -* Extended `pe` fields added to experimental schema. #1256 +* Added `beta` host metrics fields. #1248 * Added `code_signature.team_id`, `code_signature.signing_id`. #1249 -* Add `threat.indicator` fields to experimental schema. #1268 +* Extended `pe` fields added to experimental schema. #1256 * Add `elf` fieldset to experimental schema. #1261 +* Add `threat.indicator` fields to experimental schema. #1268 #### Improvements * Include formatting guidance and examples for MAC address fields. #456 - -#### Deprecated - +* New section in ECS detailing event categorization fields usage. #1242 +* `user.changes.*`, `user.effective.*`, and `user.target.*` field reuses are GA. #1271 * Include formatting guidance and examples for MAC address fields. #456 * New section in ECS detailing event categorization fields usage. #1242 * `user.changes.*`, `user.effective.*`, and `user.target.*` field reuses are GA. #1271 +* Bump jinja2 from 2.11.2 to 2.11.3 #1310 * Include formatting guidance and examples for MAC address fields. #456 * New section in ECS detailing event categorization fields usage. #1242 * `user.changes.*`, `user.effective.*`, and `user.target.*` field reuses are GA. #1271 -* Bump jinja2 from 2.11.2 to 2.11.3 #1310 +* Update Python dependencies #1310, #1318 * `user.changes.*`, `user.effective.*`, and `user.target.*` field reuses are GA. #1271 * Update Python dependencies #1310, #1318 +### Tooling and Artifact Changes + +#### Improvements + +* Adjustments to use terminology that doesn't have negative connotation. #1315 + #### Deprecated - -## 1.9.0 (Feature Freeze) - -### Schema Changes - -#### Added - -* Added `hash.ssdeep`. #1169 -* Added `cloud.service.name`. #1204 -* Added `http.request.id`. #1208 -* `data_stream.*` fieldset introduced in experimental schema and artifacts. #1215 -* Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229 -* Added `beta` host metrics fields. #1248 -* Added `code_signature.team_id`, `code_signature.signing_id`. #1249 -* Extended `pe` fields added to experimental schema. #1256 -* Add `elf` fieldset to experimental schema. #1261 -* Add `threat.indicator` fields to experimental schema. #1268 - -#### Improvements - -* Include formatting guidance and examples for MAC address fields. #456 -* New section in ECS detailing event categorization fields usage. #1242 -* `user.changes.*`, `user.effective.*`, and `user.target.*` field reuses are GA. #1271 -* Update Python dependencies #1310, #1318 - -### Tooling and Artifact Changes - -#### Improvements - -* Adjustments to use terminology that doesn't have negative connotation. #1315 -