-
Notifications
You must be signed in to change notification settings - Fork 19
/
custom_process.yml
824 lines (697 loc) · 28.5 KB
/
custom_process.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
---
- name: process
title: Process
group: 2
short: These fields contain information about a process.
description: >
These fields contain information about a process.
These fields can help you correlate metrics information with a process id/name
from a log message. The `process.pid` often stays in the metric itself and is
copied to the global field for correlation.
reusable:
top_level: true
expected:
- Target
- { at: Target.process, as: parent }
type: group
fields:
- name: command_line
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
- name: text
type: text
- name: executable
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
- name: text
type: text
- name: name
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
- name: text
type: text
- name: working_directory
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
- name: text
type: text
- name: ppid
level: extended
type: long
format: string
description: Parent process' pid.
example: 4241
- name: parent.thread
level: custom
type: object
description: The parent thread
- name: parent.thread.Ext
level: custom
type: object
description: Object for all custom defined fields for the parent thread to live in.
- name: parent.ppid
level: extended
type: long
format: string
description: Parent process' pid.
example: 4241
default_field: false
- name: Ext
level: custom
type: object
description: Object for all custom defined fields to live in.
- name: Ext.ancestry
level: custom
type: keyword
description: An array of entity_ids indicating the ancestors for this event
- name: Ext.architecture
level: custom
type: keyword
example: "x86_64"
description: Process architecture. It can differ from host architecture.
- name: Ext.services
level: custom
type: keyword
description: >
Services running in this process.
- name: Ext.user
level: custom
type: keyword
description: >
User associated with the running process.
- name: thread.Ext
level: custom
type: object
description: Object for all custom defined fields to live in.
- name: thread.Ext.call_stack_contains_unbacked
level: custom
type: boolean
description: Indicates whether the creating thread's stack contains frames pointing outside any known executable image.
- name: thread.Ext.call_stack_summary
level: custom
type: keyword
example: "ntdll.dll|example.exe|kernel32.dll|ntdll.dll"
description: >
Concatentation of the non-repeated modules in the call stack.
- name: thread.Ext.call_stack
level: custom
type: object
description: The thread's call stack
- name: thread.Ext.call_stack_final_user_module
level: custom
type: nested
description: >
The final non-win32 module in the call stack.
- name: thread.Ext.call_stack_final_user_module.name
level: custom
type: keyword
example: "example.dll"
description: >
The file name of the call_stack_final_user_module.
- name: thread.Ext.call_stack_final_user_module.path
level: custom
type: keyword
example: "C:\\Program Files\\Example\\example.dll"
description: >
The file path of the call_stack_final_user_module.
- name: thread.Ext.call_stack_final_user_module.allocation_private_bytes
level: custom
type: unsigned_long
short: The number of bytes in this memory region that are both +X and non-shareable.
description: >
The number of bytes in this memory region that are both +X and non-shareable.
Non-zero values can indicate code hooking, patching, or hollowing.
- name: thread.Ext.call_stack_final_user_module.protection
level: custom
type: keyword
example: "RWX"
description: >
The memory protection for the acting region of pages. Corresponds to `MEMORY_BASIC_INFORMATION.Protect`
- name: thread.Ext.call_stack_final_user_module.protection_provenance
level: custom
type: keyword
example: "third_party_hook.dll"
short: The name of the memory region that caused the last modification of the protection of this page.
description: >
The name of the memory region that caused the last modification of the protection of this page. "Unbacked" may indicate shellcode.
- name: thread.Ext.call_stack_final_user_module.protection_provenance_path
level: custom
type: keyword
example: "C:\\Program Files\\Hook Inc\\third_party_hook.dll"
description: >
The path of the module that caused the last modification the protection of this page.
- name: thread.Ext.call_stack_final_user_module.reason
level: custom
type: keyword
example: "ntdll.dll|kernelbase.dll"
description: >
The unexpected call_stack_summary that led to an "Undetermined" protection_provenance.
- name: thread.Ext.call_stack_final_user_module.code_signature
level: custom
type: nested
description: Code signature of the call_stack_final_user_module.
- name: thread.Ext.call_stack_final_user_module.code_signature.exists
level: custom
type: boolean
description: Boolean to capture if a signature is present.
example: "true"
- name: thread.Ext.call_stack_final_user_module.code_signature.subject_name
level: custom
type: keyword
description: Subject name of the code signer
example: Microsoft Corporation
- name: thread.Ext.call_stack_final_user_module.code_signature.valid
level: custom
type: boolean
short: Boolean to capture if the digital signature is verified against the binary content.
example: "true"
description: >
Boolean to capture if the digital signature is verified against the binary content.
Leave unpopulated if a certificate was unchecked.
- name: thread.Ext.call_stack_final_user_module.code_signature.trusted
level: custom
type: boolean
short: Stores the trust status of the certificate chain.
example: "true"
description: >
Stores the trust status of the certificate chain.
Validating the trust of the certificate chain may be complicated, and this field should only be populated
by tools that actively check the status.
- name: thread.Ext.call_stack_final_user_module.code_signature.status
level: custom
type: keyword
short: Additional information about the certificate status.
description: >
Additional information about the certificate status.
This is useful for logging cryptographic errors with the certificate validity or trust status.
Leave unpopulated if the validity or trust of the certificate was unchecked.
example: ERROR_UNTRUSTED_ROOT
- name: thread.Ext.call_stack_final_user_module.hash
level: custom
type: object
description: Hashes of the call_stack_final_user_module.
- name: thread.Ext.call_stack_final_user_module.hash.sha256
level: custom
type: keyword
description: The sha256 of the call_stack_final_user_module.
example: "d25ff1e6c6460a7f9de39198d182058c1712726008d187e1953b83abe977e4a0"
- name: thread.Ext.hardware_breakpoint_set
level: custom
type: boolean
short: Whether a hardware breakpoint was set for the thread.
description: >
Whether a hardware breakpoint was set for the thread.
This field is omitted if false.
example: "true"
- name: thread.Ext.start
level: custom
type: date
example: "2016-05-23T08:05:34.853Z"
description: >
The time the thread started.
- name: thread.Ext.start_address
level: custom
type: unsigned_long
example: 4194304
description: >
Memory address where the thread began execution.
- name: thread.Ext.start_address_allocation_offset
level: custom
type: unsigned_long
example: 0
description: >
Offset of start_address into the memory allocation. Equal to start_address - start_address_details.allocation_base.
- name: thread.Ext.start_address_bytes
level: custom
type: keyword
example: "c3cc0000cccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
description: >
A few (typically 32) raw opcode bytes at the thread start address, hex-encoded.
- name: thread.Ext.start_address_bytes_disasm
level: custom
type: keyword
example: "ret\\nint3"
description: >
The bytes at the thread start address, disassembled into human-readable assembly code.
- name: thread.Ext.start_address_bytes_disasm_hash
level: custom
type: keyword
example: "aacb1c801f9030f799e2f7350f053ebb760d42cbe81cd65021063c1c4d1a9c9c"
short: The hash of the disassembled code at the thread start_address.
description: >
The bytes at the thread start address, with immediate values capped to 0x100, disassembled into human-readable assembly code, then hashed.
- name: thread.Ext.start_address_module
level: custom
type: keyword
example: "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe"
description: >
The dll/module where the thread began execution.
- name: thread.Ext.start_address_details
level: custom
type: object
description: >
Additional information about the memory containing the thread start address.
- name: thread.Ext.original_start_address
level: custom
type: unsigned_long
example: 4194304
description: >
When a trampoline was detected, this indicates the original content for the thread start address in memory.
- name: thread.Ext.original_start_address_allocation_offset
level: custom
type: unsigned_long
example: 0
short: The offset of original_start_address from the allocation base.
description: >
When a trampoline was detected, this indicates the offset of original_start_address from the allocation base.
- name: thread.Ext.original_start_address_bytes
level: custom
type: keyword
example: "48b84141414141414141ffe000ccccccccccccccccccccccccccccccccccccccc"
short: The hex-encoded bytes at the original_start_address.
description: >
When a trampoline was detected, this holds the hex-encoded bytes at the original thread start address.
- name: thread.Ext.original_start_address_bytes_disasm
level: custom
type: keyword
example: "mov rax, 0x4141414141414141\\njmp rax"
short: The disassembled code at the original_start_address.
description: >
When a trampoline was detected, this holds the disassembled code at the original thread start address.
- name: thread.Ext.original_start_address_bytes_disasm_hash
level: custom
type: keyword
example: "aacb1c801f9030f799e2f7350f053ebb760d42cbe81cd65021063c1c4d1a9c9c"
short: The hash of the disassembled code at the original_start_address.
description: >
When a trampoline was detected, this holds the bytes at the original thread start address, with immediate values capped to 0x100, disassembled into human-readable assembly code, then hashed.
- name: thread.Ext.original_start_address_module
level: custom
type: keyword
example: "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe"
description: >
When a trampoline was detected, this indicates the original content for the dll/module where the thread began execution.
- name: thread.Ext.start_address_details
level: custom
type: object
description: >
Additional information about the memory containing the thread start address.
- name: thread.Ext.service
level: custom
type: keyword
example: VaultSvc
description: >
Service associated with the thread.
- name: thread.Ext.uptime
level: custom
type: long
description: >
Seconds since thread started.
- name: thread.Ext.parameter
level: custom
type: unsigned_long
description: >
When a thread is created, this is the raw numerical value of its parameter.
- name: thread.Ext.parameter_bytes_compressed
level: custom
type: keyword
index: false
short: Up to 512KB of raw data from the thread parameter.
description: >
Up to 512KB of raw data from the thread parameter, if it is a valid pointer. This is compressed with zlib. To reduce data volume, this is de-duplicated on the endpoint, and may be missing from many alerts if the same data would be sent multiple times.
- name: thread.Ext.parameter_bytes_compressed_present
level: custom
type: boolean
description: >
Whether parameter_bytes_compressed is present in this event.
- name: Ext.authentication_id
level: custom
type: keyword
description: >
Process authentication ID
- name: Ext.session
level: custom
type: keyword
description: >
Session information for the current process
- name: Ext.code_signature
level: custom
type: nested
description: Nested version of ECS code_signature fieldset.
- name: Ext.code_signature.exists
level: custom
type: boolean
description: Boolean to capture if a signature is present.
example: "true"
- name: Ext.code_signature.subject_name
level: custom
type: keyword
description: Subject name of the code signer
example: Microsoft Corporation
- name: Ext.code_signature.valid
level: custom
type: boolean
short: Boolean to capture if the digital signature is verified against the binary content.
example: "true"
description: >
Boolean to capture if the digital signature is verified against the binary content.
Leave unpopulated if a certificate was unchecked.
- name: Ext.code_signature.trusted
level: custom
type: boolean
short: Stores the trust status of the certificate chain.
example: "true"
description: >
Stores the trust status of the certificate chain.
Validating the trust of the certificate chain may be complicated, and this field should only be populated
by tools that actively check the status.
- name: Ext.code_signature.status
level: custom
type: keyword
short: Additional information about the certificate status.
description: >
Additional information about the certificate status.
This is useful for logging cryptographic errors with the certificate validity or trust status.
Leave unpopulated if the validity or trust of the certificate was unchecked.
example: ERROR_UNTRUSTED_ROOT
- name: Ext.created_suspended
level: custom
type: boolean
short: A heuristic indicating if the CREATE_SUSPENDED flag was passed to the Win32 CreateProcess API.
description: A heuristic indicating if the CREATE_SUSPENDED flag was passed to the Win32 CreateProcess API. Not valid for direct syscalls.
example: "true"
- name: Ext.mitigation_policies
level: custom
type: keyword
short: Process mitigation policies.
description: >
Process mitigation policies include SignaturePolicy, DynamicCodePolicy, UserShadowStackPolicy, ControlFlowGuardPolicy, etc.
Examples include Microsoft only, CF Guard, User Shadow Stack enabled
- name: Ext.real
level: custom
type: object
description: >
The field set containing process info in case of any pid spoofing. This is mainly useful for process.parent.
- name: Ext.real.pid
level: custom
type: long
short: The real pid of the process if ppid spoofing is happening.
description: >
For process.parent this will be the ppid of the process that actually spawned the current process.
- name: Ext.defense_evasions
level: custom
type: keyword
short: List of defense evasions found in this process.
description: >
List of defense evasions found in this process.
These defense evasions can make it harder to inspect a process and/or cause abnormal OS behavior.
Examples tools that can cause defense evasions include Process Doppelganging and Process Herpaderping.
- name: Ext.relative_file_creation_time
level: custom
type: double
short: Number of seconds since the process's file was created
description: >
Number of seconds since the process's file was created.
This number may be negative if the file's timestamp is in the future.
- name: Ext.relative_file_name_modify_time
level: custom
type: double
short: Number of seconds since the process's name was modified
description: >
Number of seconds since the process's name was modified.
This information can come from the NTFS MFT.
This number may be negative if the file's timestamp is in the future.
- name: Ext.protection
level: custom
type: keyword
short: OS-level protections granted to this process
description: >
Indicates the protection level of this process. Uses the same syntax as Process Explorer.
Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light.
- name: Ext.session_info.logon_type
level: custom
type: keyword
description: >
Session logon type. Examples include Interactive, Network, and Service.
- name: Ext.session_info.client_address
level: custom
type: keyword
description: >
Client's IPv4 or IPv6 address as a string, if available.
- name: Ext.session_info.id
level: custom
type: unsigned_long
description: >
Session ID
- name: Ext.session_info.authentication_package
level: custom
type: keyword
description: >
Name of authentication package used to log on, such as NTLM, Kerberos, or CloudAP
- name: Ext.session_info.relative_logon_time
level: custom
type: double
description: >
Process creation time, relative to logon time, in seconds.
- name: Ext.session_info.relative_password_age
level: custom
type: double
description: >
Process creation time, relative to the last time the password was changed, in seconds.
- name: Ext.session_info.user_flags
level: custom
type: keyword
description: >
List of user flags associated with this logon session.
Examples include LOGON_NTLMV2_ENABLED and LOGON_WINLOGON.
- name: Ext.device.bus_type
level: custom
type: keyword
short: Bus type of the device.
description: >
Bus type of the device, such as Nvme, Usb, FileBackedVirtual,... etc.
- name: Ext.device.dos_name
level: custom
type: keyword
short: DOS name of the device.
description: >
DOS name of the device.
DOS device name is in the format of driver letters such as C:, D:,...
- name: Ext.device.nt_name
level: custom
type: keyword
short: NT name of the device.
description: >
NT name of the device.
NT device name is in the format such as:
\Device\HarddiskVolume2
- name: Ext.device.product_id
level: custom
type: keyword
short: ProductID of the device.
description: >
ProductID of the device. It is provided by the vendor of the device if any.
- name: Ext.device.serial_number
level: custom
type: keyword
short: Serial Number of the device.
description: >
Serial Number of the device. It is provided by the vendor of the device if any.
- name: Ext.device.vendor_id
level: custom
type: keyword
short: VendorID of the device.
description: >
VendorID of the device. It is provided by the vendor of the device.
- name: Ext.device.volume_device_type
level: custom
type: keyword
short: Volume device type.
description: >
Volume device type.
Following are examples of the most frequently seen volume device types:
Disk File System
CD-ROM File System
- name: Ext.device.file_system_type
level: custom
type: keyword
short: Volume device file system type.
description: >
Volume device file system type.
Following are examples of the most frequently seen volume device file system types:
NTFS
UDF
- name: Ext.trusted
level: custom
type: boolean
short: Whether or not the process is a trusted application
description: >
Whether or not the process is a trusted application
- name: Ext.trusted_descendant
level: custom
type: boolean
short: Whether or not the process is a descendent of a trusted application
description: >
Whether or not the process is a descendent of a trusted application
- name: code_signature.exists
level: core
type: boolean
description: Boolean to capture if a signature is present.
example: "true"
- name: code_signature.subject_name
level: extended
type: keyword
description: Subject name of the code signer
example: Microsoft Corporation
- name: code_signature.valid
level: extended
type: boolean
short: Boolean to capture if the digital signature is verified against the binary content.
example: "true"
description: >
Boolean to capture if the digital signature is verified against the binary content.
Leave unpopulated if a certificate was unchecked.
- name: code_signature.trusted
level: extended
type: boolean
short: Stores the trust status of the certificate chain.
example: "true"
description: >
Stores the trust status of the certificate chain.
Validating the trust of the certificate chain may be complicated, and this field should only be populated
by tools that actively check the status.
- name: code_signature.status
level: extended
type: keyword
short: Additional information about the certificate status.
description: >
Additional information about the certificate status.
This is useful for logging cryptographic errors with the certificate validity or trust status.
Leave unpopulated if the validity or trust of the certificate was unchecked.
example: ERROR_UNTRUSTED_ROOT
- name: code_signature.signing_id
level: extended
type: keyword
short: The identifier used to sign the binary.
description: >
'The identifier used to sign the binary.
This is used to identify the application manufactured by a software vendor. The
field is relevant to Apple *OS only.'
example: com.apple.xpc.proxy
- name: code_signature.team_id
level: extended
type: keyword
short: The team identifier used to sign the binary.
description: >
'The team identifier used to sign the binary.
This is used to identify the team or vendor of a software product. The field is
relevant to Apple *OS only.'
example: EQHXZ8M8AV
- name: tty
level: extended
type: object
short: Information about the controlling TTY device.
description: >
Information about the controlling TTY device. If set, the process belongs to an interactive session.
- name: tty.char_device.major
level: extended
type: long
short: The TTY character device's major number.
description: >
The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.
example: 4
- name: tty.char_device.minor
level: extended
type: long
short: The TTY character device's minor number.
description: >
The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.
example: 1
- name: tty.rows
level: extended
type: long
beta: This field is beta and subject to change.
short: The number of character rows in the terminal. e.g terminal height
description: >
The number of character rows in the terminal. e.g terminal height
Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'
example: 24
- name: tty.columns
level: extended
type: long
beta: This field is beta and subject to change.
short: The number of character columns per line. e.g terminal width
description: >
The number of character columns per line. e.g terminal width
Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'
example: 80
- name: io
level: extended
type: object
beta: This field is beta and subject to change.
short: A chunk of input or output (IO) from a single process.
description: >
A chunk of input or output (IO) from a single process.
This field only appears on the top level process object, which is the process that wrote the output or read the input.
- name: io.type
level: extended
type: keyword
beta: This field is beta and subject to change.
short: The type of object on which the IO action (read or write) was taken.
description: >
The type of object on which the IO action (read or write) was taken.
Currently only 'tty' is supported. Other types may be added in the future for 'file' and 'socket' support.
- name: io.text
level: extended
type: wildcard
beta: This field is beta and subject to change.
short: A chunk of output or input sanitized to UTF-8.
description: >
A chunk of output or input sanitized to UTF-8.
Best efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.
- name: io.total_bytes_captured
level: extended
type: long
beta: This field is beta and subject to change.
description: >
The total number of bytes captured in this event.
- name: io.total_bytes_skipped
level: extended
type: long
beta: This field is beta and subject to change.
short: The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
description: >
The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero
- name: io.max_bytes_per_process_exceeded
level: extended
type: boolean
beta: This field is beta and subject to change.
description: >
If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.
- name: io.bytes_skipped
level: extended
type: object
beta: This field is beta and subject to change.
description: >
An array of byte offsets and lengths denoting where IO data has been skipped.
normalize: array
- name: io.bytes_skipped.offset
level: extended
type: long
beta: This field is beta and subject to change.
description: >
The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
- name: io.bytes_skipped.length
level: extended
type: long
beta: This field is beta and subject to change.
description: >
The length of bytes skipped.