diff --git a/dev/package-examples/endpoint-0.0.1/dataset/events/fields/fields.yml b/dev/package-examples/endpoint-0.0.1/dataset/events/fields/fields.yml new file mode 100644 index 000000000..bbe9a9977 --- /dev/null +++ b/dev/package-examples/endpoint-0.0.1/dataset/events/fields/fields.yml @@ -0,0 +1,3807 @@ +- name: "@timestamp" + level: core + required: true + type: date + description: "Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events." + example: "2016-05-23T08:05:34.853Z" +- name: message + level: core + type: text + description: + "For log events the message field contains the log message, optimized + for viewing in a log viewer. + + For structured logs without an original message field, other fields can be concatenated + to form a human-readable summary of the event. + + If multiple messages exist, they can be combined into one message." + example: Hello World +- name: agent + title: Agent + group: 2 + description: "The agent fields contain the data about the software entity, if + any, that collects, detects, or observes events on a host, or takes measurements + on a host. + + Examples include Beats. Agents may also run on observers. ECS agent.* fields + shall be populated with details of the agent running on the host or observer + where the event happened or the measurement was taken." + footnote: + "Examples: In the case of Beats for logs, the agent.name is filebeat. + For APM, it is the agent running in the app/service. The agent information does + not change if data is sent through queuing systems like Kafka, Redis, or processing + systems such as Logstash or APM Server." + type: group + fields: + - name: ephemeral_id + level: extended + type: keyword + ignore_above: 1024 + description: "Ephemeral identifier of this agent (if one exists). + + This id normally changes across restarts, but `agent.id` does not." + example: 8a4f500f + - name: id + level: core + type: keyword + ignore_above: 1024 + description: "Unique identifier of this agent (if one exists). + + Example: For Beats this would be beat.id." + example: 8a4f500d + - name: name + level: core + type: keyword + ignore_above: 1024 + description: "Custom name of the agent. + + This is a name that can be given to an agent. This can be helpful if for example + two Filebeat instances are running on the same host but a human readable separation + is needed on which Filebeat instance data is coming from. + + If no name is given, the name is often left empty." + example: foo + - name: type + level: core + type: keyword + ignore_above: 1024 + description: "Type of the agent. + + The agent type stays always the same and should be given by the agent used. + In case of Filebeat the agent would always be Filebeat also if two Filebeat + instances are run on the same machine." + example: filebeat + - name: version + level: core + type: keyword + ignore_above: 1024 + description: Version of the agent. + example: 6.0.0-rc2 +- name: destination + title: Destination + group: 2 + description: + "Destination fields describe details about the destination of a packet/event. + + Destination fields are usually populated in conjunction with source fields." + type: group + fields: + - name: address + level: extended + type: keyword + ignore_above: 1024 + description: + "Some event destination addresses are defined ambiguously. The + event will sometimes list an IP, a domain or a unix socket. You should always + store the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is." + - name: bytes + level: core + type: long + format: bytes + description: Bytes sent from the destination to the source. + example: 184 + - name: domain + level: core + type: keyword + ignore_above: 1024 + description: Destination domain. + - name: ip + level: core + type: ip + description: "IP address of the destination. + + Can be one or multiple IPv4 or IPv6 addresses." + - name: packets + level: core + type: long + description: Packets sent from the destination to the source. + example: 12 + - name: port + level: core + type: long + format: string + description: Port of the destination. + - name: registered_domain + level: extended + type: keyword + ignore_above: 1024 + description: + 'The highest registered destination domain, stripped of the subdomain. + + For example, the registered domain for "foo.google.com" is "google.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: google.com + - name: top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: + 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for google.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk +- name: dll + title: DLL + group: 2 + description: + 'These fields contain information about code libraries dynamically + loaded into processes. + + + Many operating systems refer to "shared code libraries" with different names, + but this field set refers to all of the following: + + * Dynamic-link library (`.dll`) commonly used on Windows + + * Shared Object (`.so`) commonly used on Unix-like operating systems + + * Dynamic library (`.dylib`) commonly used on macOS' + type: group + fields: + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: "Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked." + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false +- name: dns + title: DNS + group: 2 + description: "Fields describing DNS queries and answers. + + DNS events should either represent a single DNS query prior to getting answers + (`dns.type:query`) or they should represent a full exchange and contain the + query details as well as all of the answers that were provided for this query + (`dns.type:answer`)." + type: group + fields: + - name: question.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The name being queried. + + If the name field contains non-printable characters (below 32 or above 126), + those characters should be represented as escaped base 10 integers (\DDD). + Back slashes and quotes should be escaped. Tabs, carriage returns, and line + feeds should be converted to \t, \r, and \n respectively.' + example: www.google.com + - name: question.registered_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The highest registered domain, stripped of the subdomain. + + For example, the registered domain for "foo.google.com" is "google.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: google.com + - name: question.subdomain + level: extended + type: keyword + ignore_above: 1024 + description: + 'The subdomain is all of the labels under the registered_domain. + + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: www + - name: question.top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: + 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for google.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + - name: question.type + level: extended + type: keyword + ignore_above: 1024 + description: The type of record being queried. + example: AAAA + - name: resolved_ip + level: extended + type: ip + description: "Array containing all IPs seen in `answers.data`. + + The `answers` array can be difficult to use, because of the variety of data + formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` + makes it possible to index them as IP addresses, and makes them easier to + visualize and query for." + example: + - 10.10.10.10 + - 10.10.10.11 +- name: ecs + title: ECS + group: 2 + description: Meta-information specific to ECS. + type: group + fields: + - name: version + level: core + required: true + type: keyword + ignore_above: 1024 + description: + "ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events." + example: 1.0.0 +- name: endpoint + title: Endpoint + group: 2 + description: TODO + type: group + fields: + - name: file.original.gid + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: file.original.group + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: file.original.mode + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: file.original.name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: file.original.owner + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: file.original.path + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: file.original.uid + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: file.windows.zone_identifier + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: group.real.id + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: group.real.name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: policy.id + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: process.authentication_id + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: process.parent.real.pid + level: custom + type: long + description: + The ppid of the process that actually spawned the current process, + in case of ppid spoofing. + default_field: false + - name: process.session + level: custom + type: keyword + ignore_above: 1024 + description: Session information for the current process + default_field: false + - name: process.token.elevation + level: custom + type: keyword + ignore_above: 1024 + description: Whether the token is elevated or not + default_field: false + - name: process.token.elevation_type + level: custom + type: keyword + ignore_above: 1024 + description: What level of elevation the token has + example: one of "default", "full", "limited" + default_field: false + - name: process.token.integrity_level + level: custom + type: keyword + ignore_above: 1024 + description: Integrity level of the process. + example: one of "system", "high", "medium", "low", "untrusted" + default_field: false + - name: user.real.id + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: user.real.name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false +- name: event + title: Event + group: 2 + description: "The event fields are used for context information about the log + or metric event itself. + + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. Examples of log + events include a process starting on a host, a network packet being sent from + a source to a destination, or a network connection between a client and a server + being initiated or closed. A metric is defined as an event containing one or + more numerical or categorical measurements and the time at which the measurement + was taken. Examples of metric events include memory pressure measured on a host, + or vulnerabilities measured on a scanned host." + type: group + fields: + - name: action + level: core + type: keyword + ignore_above: 1024 + description: "The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer." + example: user-password-change + - name: category + level: core + type: keyword + ignore_above: 1024 + description: + 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + - name: created + level: core + type: date + description: + "event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent's or pipeline's ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used." + example: "2016-05-23T08:05:34.857Z" + - name: dataset + level: core + type: keyword + ignore_above: 1024 + description: "Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It's recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name." + example: apache.access + - name: hash + level: extended + type: keyword + ignore_above: 1024 + description: + Hash (perhaps logstash fingerprint) of raw field to be able to + demonstrate log integrity. + example: 123456789012345678901234567890ABCD + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique ID to describe the event. + example: 8a4f500d + - name: ingested + level: core + type: date + description: "Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It's + also different from `event.created`, which is meant to capture the first time + an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically + look like this: `@timestamp` < `event.created` < `event.ingested`." + example: "2016-05-23T08:05:35.101Z" + default_field: false + - name: kind + level: core + type: keyword + ignore_above: 1024 + description: + "This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not." + example: alert + - name: module + level: core + type: keyword + ignore_above: 1024 + description: "Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module." + example: apache + - name: outcome + level: core + type: keyword + ignore_above: 1024 + description: + "This is one of four ECS Categorization Fields, and indicates the + lowest level in the ECS category hierarchy. + + `event.outcome` simply denotes whether the event represent a success or a + failure. Note that not all events will have an associated outcome. For example, + this field is generally not populated for metric events or events with `event.type:info`." + example: success + - name: sequence + level: extended + type: long + format: string + description: "Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision." + - name: type + level: core + type: keyword + ignore_above: 1024 + description: + 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' +- name: file + title: File + group: 2 + description: "A file is defined as a set of information that has been created + on, or has existed on a filesystem. + + File objects can be associated with host events, network events, and/or file + events (e.g., those produced by File Integrity Monitoring [FIM] products or + services). File fields provide details about the affected file associated with + the event or metric." + type: group + fields: + - name: accessed + level: extended + type: date + description: "Last time the file was accessed. + + Note that not all filesystems keep track of access time." + - name: attributes + level: extended + type: keyword + ignore_above: 1024 + description: "Array of file attributes. + + Attributes names will vary by platform. Here's a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write." + example: '["readonly", "system"]' + default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: "true" + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: "Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked." + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: "Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status." + example: "true" + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: + "Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked." + example: "true" + default_field: false + - name: created + level: extended + type: date + description: "File creation time. + + Note that not all filesystems store the creation time." + - name: ctime + level: extended + type: date + description: "Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file." + - name: device + level: extended + type: keyword + ignore_above: 1024 + description: Device that is the source of the file. + example: sda + - name: directory + level: extended + type: keyword + ignore_above: 1024 + description: + Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + - name: drive_letter + level: extended + type: keyword + ignore_above: 1 + description: + "Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon." + example: C + default_field: false + - name: extension + level: extended + type: keyword + ignore_above: 1024 + description: File extension. + example: png + - name: gid + level: extended + type: keyword + ignore_above: 1024 + description: Primary group ID (GID) of the file. + example: "1001" + - name: group + level: extended + type: keyword + ignore_above: 1024 + description: Primary group name of the file. + example: alice + - name: hash.imphash + level: extended + type: keyword + ignore_above: 1024 + description: Imphash. + default_field: false + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + - name: inode + level: extended + type: keyword + ignore_above: 1024 + description: Inode representing the file in the filesystem. + example: "256383" + - name: mode + level: extended + type: keyword + ignore_above: 1024 + description: Mode of the file in octal representation. + example: "0640" + - name: mtime + level: extended + type: date + description: Last time the file content was modified. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the file including the extension, without the directory. + example: example.png + - name: owner + level: extended + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice + - name: path + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: + Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: size + level: extended + type: long + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + - name: target_path + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Target path for symlinks. + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: File type (file, dir, or symlink). + example: file + - name: uid + level: extended + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: "1001" +- name: file_classification + title: File Classification + group: 2 + description: TODO + type: group + fields: + - name: captured_file + level: custom + type: boolean + description: TODO + default_field: false + - name: entry_modified + level: custom + type: double + description: TODO + default_field: false + - name: is_signature_trusted + level: custom + type: boolean + description: TODO + default_field: false + - name: macro_details.code_page + level: custom + type: long + description: TODO + default_field: false + - name: macro_details.errors + level: custom + type: nested + description: TODO + default_field: false + - name: macro_details.errors.count + level: custom + type: long + description: TODO + default_field: false + - name: macro_details.errors.error_type + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: macro_details.file_extension + level: custom + type: long + description: TODO + default_field: false + - name: macro_details.macro_collection + level: custom + type: object + object_type: keyword + description: TODO + default_field: false + - name: macro_details.project_file + level: custom + type: object + object_type: keyword + description: TODO + default_field: false + - name: macro_details.stream_data + level: custom + type: nested + description: TODO + default_field: false + - name: macro_details.stream_data.name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: macro_details.stream_data.raw_code + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: macro_details.stream_data.raw_code_size + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: malware_classification.compressed_malware_features.data_buffer + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: malware_classification.compressed_malware_features.decompressed_size + level: custom + type: integer + description: TODO + default_field: false + - name: malware_classification.compressed_malware_features.encoding + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: malware_classification.identifier + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: malware_classification.prevention_threshold + level: custom + type: double + description: TODO + default_field: false + - name: malware_classification.score + level: custom + type: double + description: TODO + default_field: false + - name: malware_classification.threshold + level: custom + type: double + description: TODO + default_field: false + - name: malware_classification.upx_packed + level: custom + type: boolean + description: TODO + default_field: false + - name: malware_classification.version + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: quarantine_result.alert_correlation_id + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: quarantine_result.quarantine_path + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: signature_signer + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: temp_file_path + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: user_blacklisted + level: custom + type: boolean + description: TODO + default_field: false + - name: yara_hits + level: custom + type: nested + description: TODO + default_field: false + - name: yara_hits.identifier + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: yara_hits.matched_data + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: yara_hits.rule_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: yara_hits.version + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false +- name: group + title: Group + group: 2 + description: The group fields are meant to represent groups that are relevant + to the event. + type: group + fields: + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. +- name: host + title: Host + group: 2 + description: "A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes." + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: "Name of the domain of which the host is a member. + + For example, on Windows this could be the host's Active Directory domain + or NetBIOS domain name. For Linux this could be the domain of the host's + LDAP provider." + example: CONTOSO + default_field: false + - name: geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + - name: geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + - name: geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + - name: geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + - name: geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: geo.name + level: extended + type: keyword + ignore_above: 1024 + description: + "User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation." + example: boston-dc + - name: geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + - name: geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: "Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine." + - name: id + level: core + type: keyword + ignore_above: 1024 + description: "Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`." + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: "Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified + domain name, or a name specified by the user. The sender decides which value + to use." + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.variant + level: custom + type: keyword + ignore_above: 1024 + description: + A string value or phrase that further aid to classify or qualify + the operating system (OS). For example the distribution for a Linux OS will + be entered in this field. + example: Ubuntu + default_field: false + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: "Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, + this could be the container, for example, or other information meaningful + in your environment." + - name: uptime + level: extended + type: long + description: Seconds the host has been up. + example: 1325 + - name: user.domain + level: extended + type: keyword + ignore_above: 1024 + description: "Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name." + - name: user.email + level: extended + type: keyword + ignore_above: 1024 + description: User email address. + - name: user.full_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: User's full name, if available. + example: Albert Einstein + - name: user.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: "Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name." + - name: user.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: user.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: user.hash + level: extended + type: keyword + ignore_above: 1024 + description: + "Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used." + - name: user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifiers of the user. + - name: user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert +- name: http + title: HTTP + group: 2 + description: Fields related to HTTP activity. Use the `url` field set to store + the url of the request. + type: group + fields: + - name: response.body.bytes + level: extended + type: long + format: bytes + description: Size in bytes of the response body. + example: 887 + - name: response.body.content + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: The full HTTP response body. + example: Hello world + - name: response.bytes + level: extended + type: long + format: bytes + description: Total size in bytes of the response (body and headers). + example: 1437 + - name: response.status_code + level: extended + type: long + format: string + description: HTTP response status code. + example: 404 + - name: response.version + level: custom + type: keyword + ignore_above: 1024 + description: HTTP version + default_field: false +- name: network + title: Network + group: 2 + description: + "The network is defined as the communication path over which a host + or network event happens. + + The network.* fields should be populated with details about the network activity + associated with an event." + type: group + fields: + - name: bytes + level: core + type: long + format: bytes + description: "Total bytes transferred in both directions. + + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their + sum." + example: 368 + - name: community_id + level: extended + type: keyword + ignore_above: 1024 + description: + "A hash of source and destination IPs and ports, as well as the + protocol used in a communication. This is a tool-agnostic standard to identify + flows. + + Learn more at https://github.com/corelight/community-id-spec." + example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + - name: direction + level: core + type: keyword + ignore_above: 1024 + description: + "Direction of the network traffic.\nRecommended values are:\n \ + \ * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen\ + \ mapping events from a host-based monitoring context, populate this field\ + \ from the host's point of view.\nWhen mapping events from a network or perimeter-based\ + \ monitoring context, populate this field from the point of view of your network\ + \ perimeter." + example: inbound + - name: iana_number + level: extended + type: keyword + ignore_above: 1024 + description: + IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). + Standardized list of protocols. This aligns well with NetFlow and sFlow related + logs which use the IANA Protocol Number. + example: 6 + - name: packets + level: core + type: long + description: "Total packets transferred in both directions. + + If `source.packets` and `destination.packets` are known, `network.packets` + is their sum." + example: 24 + - name: protocol + level: core + type: keyword + ignore_above: 1024 + description: + 'L7 Network protocol name. ex. http, lumberjack, transport protocol. + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: http + - name: transport + level: core + type: keyword + ignore_above: 1024 + description: + 'Same as network.iana_number, but instead using the Keyword name + of the transport layer (udp, tcp, ipv6-icmp, etc.) + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: tcp + - name: type + level: core + type: keyword + ignore_above: 1024 + description: + 'In the OSI Model this would be the Network Layer. ipv4, ipv6, + ipsec, pim, etc + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: ipv4 +- name: package + title: Package + group: 2 + description: + These fields contain information about an installed software package. + It contains general information about a package, such as name, version or size. + It also contains installation details, such as time or location. + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Package name + example: go +- name: process + title: Process + group: 2 + description: "These fields contain information about a process. + + These fields can help you correlate metrics information with a process id/name + from a log message. The `process.pid` often stays in the metric itself and + is copied to the global field for correlation." + type: group + fields: + - name: args + level: extended + type: keyword + ignore_above: 1024 + description: + "Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information." + example: + - /usr/bin/ssh + - -l + - user + - 10.0.0.16 + - name: args_count + level: extended + type: long + description: "Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity." + example: 4 + default_field: false + - name: argv_list + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: authenticode + level: custom + type: nested + description: TODO + default_field: false + - name: authenticode.cert_signer.issuer_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: authenticode.cert_signer.serial_number + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: authenticode.cert_signer.subject_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: authenticode.cert_signer.timestamp_string + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: authenticode.cert_timestamp.issuer_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: authenticode.cert_timestamp.serial_number + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: authenticode.cert_timestamp.subject_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: authenticode.cert_timestamp.timestamp_string + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: authenticode.more_info_link + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: authenticode.program_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: authenticode.publisher_link + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: "true" + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: "Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked." + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: "Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status." + example: "true" + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: + "Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked." + example: "true" + default_field: false + - name: command_line + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: + "Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information." + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: cpu_percent + level: custom + type: double + description: TODO + default_field: false + - name: cwd + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions + level: custom + type: nested + description: TODO + default_field: false + - name: defense_evasions.call_stack + level: custom + type: nested + description: TODO + default_field: false + - name: defense_evasions.call_stack.instruction_pointer + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.call_stack.memory_section.memory_address + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.call_stack.memory_section.memory_size + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.call_stack.memory_section.protection + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.call_stack.module_path + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.call_stack.rva + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.call_stack.symbol_info + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.delta_count + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.evasion_subtype + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.evasion_type + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.instruction_pointer + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.memory_sections + level: custom + type: nested + description: TODO + default_field: false + - name: defense_evasions.memory_sections.memory_address + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.memory_sections.memory_size + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.memory_sections.protection + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.module_path + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.thread.thread_id + level: custom + type: long + description: TODO + default_field: false + - name: defense_evasions.thread.thread_start_address + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: defense_evasions.total_memory_size + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: domain + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: entity_id + level: extended + type: keyword + ignore_above: 1024 + description: "Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts." + example: c2c455d9f99375d + default_field: false + - name: env_variables + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + - name: exit_code + level: extended + type: long + description: + "The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start)." + example: 137 + default_field: false + - name: file_hash.imphash + level: custom + type: keyword + ignore_above: 1024 + description: Imphash. + default_field: false + - name: file_hash.md5 + level: custom + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: file_hash.sha1 + level: custom + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: file_hash.sha256 + level: custom + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: file_hash.sha512 + level: custom + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: gid + level: custom + type: long + description: TODO + default_field: false + - name: group + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: handles + level: custom + type: nested + description: TODO + default_field: false + - name: handles.handle_id + level: custom + type: long + description: TODO + default_field: false + - name: handles.handle_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: handles.handle_type + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: has_unbacked_execute_memory + level: custom + type: boolean + description: TODO + default_field: false + - name: hash.imphash + level: extended + type: keyword + ignore_above: 1024 + description: Imphash. + default_field: false + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + - name: hash_matched_module + level: custom + type: boolean + description: TODO + default_field: false + - name: is_endpoint + level: custom + type: boolean + description: Is this the Elastic Endpoint process or not. + default_field: false + - name: malware_classification.compressed_malware_features.data_buffer + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: malware_classification.compressed_malware_features.decompressed_size + level: custom + type: integer + description: TODO + default_field: false + - name: malware_classification.compressed_malware_features.encoding + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: malware_classification.identifier + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: malware_classification.prevention_threshold + level: custom + type: double + description: TODO + default_field: false + - name: malware_classification.score + level: custom + type: double + description: TODO + default_field: false + - name: malware_classification.threshold + level: custom + type: double + description: TODO + default_field: false + - name: malware_classification.upx_packed + level: custom + type: boolean + description: TODO + default_field: false + - name: malware_classification.version + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_percent + level: custom + type: double + description: TODO + default_field: false + - name: memory_region + level: custom + type: nested + description: TODO + default_field: false + - name: memory_region.allocation_base + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.allocation_protection + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.bytes + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.histogram + level: custom + type: nested + description: TODO + default_field: false + - name: memory_region.histogram.histogram_array + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.histogram.histogram_flavor + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.histogram.histogram_resolution + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.length + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.memory + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.memory_address + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.module_path + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.permission + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.protection + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.region_base + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.region_size + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.region_tag + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.type + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: memory_region.unbacked_on_disk + level: custom + type: boolean + description: TODO + default_field: false + - name: modules + level: custom + type: nested + description: These fields contain information about a list of modules. + default_field: false + - name: modules.architecture + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.authenticode + level: custom + type: nested + description: TODO + default_field: false + - name: modules.authenticode.cert_signer.issuer_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.authenticode.cert_signer.serial_number + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.authenticode.cert_signer.subject_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.authenticode.cert_signer.timestamp_string + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.authenticode.cert_timestamp.issuer_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.authenticode.cert_timestamp.serial_number + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.authenticode.cert_timestamp.subject_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.authenticode.cert_timestamp.timestamp_string + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.authenticode.more_info_link + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.authenticode.program_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.authenticode.publisher_link + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.compile_time + level: custom + type: date + description: TODO + default_field: false + - name: modules.malware_classification.compressed_malware_features.data_buffer + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.malware_classification.compressed_malware_features.decompressed_size + level: custom + type: integer + description: TODO + default_field: false + - name: modules.malware_classification.compressed_malware_features.encoding + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.malware_classification.identifier + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.malware_classification.prevention_threshold + level: custom + type: double + description: TODO + default_field: false + - name: modules.malware_classification.score + level: custom + type: double + description: TODO + default_field: false + - name: modules.malware_classification.threshold + level: custom + type: double + description: TODO + default_field: false + - name: modules.malware_classification.upx_packed + level: custom + type: boolean + description: TODO + default_field: false + - name: modules.malware_classification.version + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.mapped_address + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.mapped_size + level: custom + type: long + description: TODO + default_field: false + - name: modules.path + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.pe_exports + level: custom + type: nested + description: TODO + default_field: false + - name: modules.pe_exports.name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.pe_exports.ordinal + level: custom + type: long + description: TODO + default_field: false + - name: modules.pe_imports + level: custom + type: nested + description: TODO + default_field: false + - name: modules.pe_imports.dll_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.pe_imports.import_names + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.signature_signer + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: modules.signature_status + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: "Process name. + + Sometimes called program name or similar." + example: ssh + - name: num_threads + level: custom + type: long + description: TODO + default_field: false + - name: parent.args + level: extended + type: keyword + ignore_above: 1024 + description: "Array of process arguments. + + May be filtered to protect sensitive information." + example: + - ssh + - -l + - user + - 10.0.0.16 + default_field: false + - name: parent.args_count + level: extended + type: long + description: "Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity." + example: 4 + default_field: false + - name: parent.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: "true" + default_field: false + - name: parent.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: "Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked." + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: parent.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: parent.code_signature.trusted + level: extended + type: boolean + description: "Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status." + example: "true" + default_field: false + - name: parent.code_signature.valid + level: extended + type: boolean + description: + "Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked." + example: "true" + default_field: false + - name: parent.command_line + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: + "Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information." + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: parent.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: "Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts." + example: c2c455d9f99375d + default_field: false + - name: parent.executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + default_field: false + - name: parent.exit_code + level: extended + type: long + description: + "The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start)." + example: 137 + default_field: false + - name: parent.hash.imphash + level: extended + type: keyword + ignore_above: 1024 + description: Imphash. + default_field: false + - name: parent.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: parent.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: parent.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: parent.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: parent.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: "Process name. + + Sometimes called program name or similar." + example: ssh + default_field: false + - name: parent.pgid + level: extended + type: long + format: string + description: Identifier of the group of processes the process belongs to. + default_field: false + - name: parent.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: parent.ppid + level: extended + type: long + format: string + description: Parent process' pid. + example: 4241 + default_field: false + - name: parent.start + level: extended + type: date + description: The time the process started. + example: "2016-05-23T08:05:34.853Z" + default_field: false + - name: parent.thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 + default_field: false + - name: parent.thread.name + level: extended + type: keyword + ignore_above: 1024 + description: Thread name. + example: thread-0 + default_field: false + - name: parent.title + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: "Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened." + default_field: false + - name: parent.uptime + level: extended + type: long + description: Seconds the process has been up. + example: 1325 + default_field: false + - name: parent.working_directory + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: The working directory of the process. + example: /home/alice + default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: pe_info.architecture + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.authenticode + level: custom + type: nested + description: TODO + default_field: false + - name: pe_info.authenticode.cert_signer.issuer_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.authenticode.cert_signer.serial_number + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.authenticode.cert_signer.subject_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.authenticode.cert_signer.timestamp_string + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.authenticode.cert_timestamp.issuer_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.authenticode.cert_timestamp.serial_number + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.authenticode.cert_timestamp.subject_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.authenticode.cert_timestamp.timestamp_string + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.authenticode.more_info_link + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.authenticode.program_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.authenticode.publisher_link + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.compile_time + level: custom + type: long + description: TODO + default_field: false + - name: pe_info.entry_point_address + level: custom + type: long + description: TODO + default_field: false + - name: pe_info.is_dll + level: custom + type: boolean + description: TODO + default_field: false + - name: pe_info.malware_classification.compressed_malware_features.data_buffer + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.malware_classification.compressed_malware_features.decompressed_size + level: custom + type: integer + description: TODO + default_field: false + - name: pe_info.malware_classification.compressed_malware_features.encoding + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.malware_classification.identifier + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.malware_classification.prevention_threshold + level: custom + type: double + description: TODO + default_field: false + - name: pe_info.malware_classification.score + level: custom + type: double + description: TODO + default_field: false + - name: pe_info.malware_classification.threshold + level: custom + type: double + description: TODO + default_field: false + - name: pe_info.malware_classification.upx_packed + level: custom + type: boolean + description: TODO + default_field: false + - name: pe_info.malware_classification.version + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.pe_exports + level: custom + type: nested + description: TODO + default_field: false + - name: pe_info.pe_exports.name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.pe_exports.ordinal + level: custom + type: long + description: TODO + default_field: false + - name: pe_info.pe_imports + level: custom + type: nested + description: TODO + default_field: false + - name: pe_info.pe_imports.dll_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.pe_imports.import_names + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.resources + level: custom + type: nested + description: TODO + default_field: false + - name: pe_info.resources.resource_data.entropy + level: custom + type: double + description: TODO + default_field: false + - name: pe_info.resources.resource_data.size + level: custom + type: long + description: TODO + default_field: false + - name: pe_info.resources.resource_id + level: custom + type: long + description: TODO + default_field: false + - name: pe_info.resources.resource_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.resources.resource_type + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.sections + level: custom + type: nested + description: TODO + default_field: false + - name: pe_info.sections.entropy + level: custom + type: double + description: TODO + default_field: false + - name: pe_info.sections.name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.sections.raw_offset + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.sections.raw_size + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.sections.virtual_address + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.sections.virtual_size + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.signature_signer + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.signature_status + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.version_info + level: custom + type: nested + description: TODO + default_field: false + - name: pe_info.version_info.code_page + level: custom + type: long + description: TODO + default_field: false + - name: pe_info.version_info.key + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pe_info.version_info.language + level: custom + type: long + description: TODO + default_field: false + - name: pe_info.version_info.value_string + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pgid + level: extended + type: long + format: string + description: Identifier of the group of processes the process belongs to. + - name: phys_memory_bytes + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: pid + level: core + type: long + format: string + description: Process id. + example: 4242 + - name: ppid + level: extended + type: long + format: string + description: Parent process' pid. + example: 4241 + - name: services + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: session_id + level: custom + type: long + description: TODO + default_field: false + - name: short_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: sid + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: signature_signer + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: signature_status + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: start + level: extended + type: date + description: The time the process started. + example: "2016-05-23T08:05:34.853Z" + - name: thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 + - name: thread.name + level: extended + type: keyword + ignore_above: 1024 + description: Thread name. + example: thread-0 + - name: threads + level: custom + type: nested + description: TODO + default_field: false + - name: threads.entrypoint + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: threads.id + level: custom + type: long + description: TODO + default_field: false + - name: threads.start + level: custom + type: date + description: TODO + default_field: false + - name: threads.uptime + level: custom + type: long + description: TODO + default_field: false + - name: title + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: "Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened." + - name: token.domain + level: extended + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: token.impersonation_level + level: extended + type: keyword + ignore_above: 1024 + description: Impersonation level. Only valid for impersonation tokens. + default_field: false + - name: token.integrity_level + level: extended + type: long + description: Numeric integrity level. + default_field: false + - name: token.integrity_level_name + level: extended + type: keyword + ignore_above: 1024 + description: Human readable integrity level. + default_field: false + - name: token.is_appcontainer + level: extended + type: boolean + description: Whether or not this is an appcontainer token. + default_field: false + - name: token.privileges + level: extended + type: nested + description: Array describing the privileges associated with the token. + default_field: false + - name: token.privileges.description + level: extended + type: keyword + ignore_above: 1024 + description: Description of the privilege. + default_field: false + - name: token.privileges.enabled + level: extended + type: boolean + description: Whether or not the privilege is enabled. + default_field: false + - name: token.privileges.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the privilege. + default_field: false + - name: token.sid + level: extended + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: token.type + level: extended + type: keyword + ignore_above: 1024 + description: Type of the token, either primary or impersonation. + default_field: false + - name: token.user + level: extended + type: keyword + ignore_above: 1024 + description: Username of token owner. + default_field: false + - name: tty_device_major_number + level: custom + type: integer + description: TODO + default_field: false + - name: tty_device_minor_number + level: custom + type: integer + description: TODO + default_field: false + - name: tty_device_name + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: uid + level: custom + type: long + description: TODO + default_field: false + - name: unbacked_execute_byte_count + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: unbacked_execute_region_count + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: unique_pid + level: custom + type: keyword + ignore_above: 1024 + description: Unique process id. + default_field: false + - name: unique_ppid + level: custom + type: keyword + ignore_above: 1024 + description: Unique parent process id. + default_field: false + - name: uptime + level: extended + type: long + description: Seconds the process has been up. + example: 1325 + - name: user + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: virt_memory_bytes + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: working_directory + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: The working directory of the process. + example: /home/alice +- name: registry + title: Registry + group: 2 + description: Fields related to Windows Registry operations. + type: group + fields: + - name: data.bytes + level: extended + type: keyword + ignore_above: 1024 + description: "Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values." + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + default_field: false + - name: data.strings + level: core + type: keyword + ignore_above: 1024 + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + default_field: false + - name: hive + level: core + type: keyword + ignore_above: 1024 + description: Abbreviated name for the hive. + example: HKLM + default_field: false + - name: key + level: core + type: keyword + ignore_above: 1024 + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: path + level: core + type: keyword + ignore_above: 1024 + description: Full path, including hive, key and value + example: + HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + default_field: false + - name: value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + default_field: false +- name: rule + title: Rule + group: 2 + description: "Rule fields are used to capture the specifics of any observer or + agent rules that generate alerts or other notable events. + + Examples of data sources that would populate the rule fields include: network + admission control platforms, network or host IDS/IPS, network firewalls, web + application firewalls, url filters, endpoint detection and response (EDR) systems, + etc." + type: group + fields: + - name: category + level: extended + type: keyword + ignore_above: 1024 + description: + A categorization value keyword used by the entity using the rule + for detection of this event. + example: Attempted Information Leak + default_field: false + - name: description + level: extended + type: keyword + ignore_above: 1024 + description: The description of the rule generating the event. + example: Block requests to public DNS over HTTPS / TLS protocols + default_field: false + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: + A rule ID that is unique within the scope of an agent, observer, + or other entity using the rule for detection of this event. + example: 101 + default_field: false + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: The name of the rule or signature generating the event. + example: BLOCK_DNS_over_TLS + default_field: false + - name: reference + level: extended + type: keyword + ignore_above: 1024 + description: + "Reference URL to additional information about the rule used to + generate this event. + + The URL can point to the vendor's documentation about the rule. If that's + not available, it can also be a link to a more general page describing this + type of alert." + example: https://en.wikipedia.org/wiki/DNS_over_TLS + default_field: false + - name: ruleset + level: extended + type: keyword + ignore_above: 1024 + description: + Name of the ruleset, policy, group, or parent category in which + the rule used to generate this event is a member. + example: Standard_Protocol_Filters + default_field: false + - name: uuid + level: extended + type: keyword + ignore_above: 1024 + description: + A rule ID that is unique within the scope of a set or group of + agents, observers, or other entities using the rule for detection of this + event. + example: 1100110011 + default_field: false + - name: version + level: extended + type: keyword + ignore_above: 1024 + description: The version / revision of the rule being used for analysis. + example: 1.1 + default_field: false +- name: source + title: Source + group: 2 + description: + "Source fields describe details about the source of a packet/event. + + Source fields are usually populated in conjunction with destination fields." + type: group + fields: + - name: address + level: extended + type: keyword + ignore_above: 1024 + description: + "Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is." + - name: bytes + level: core + type: long + format: bytes + description: Bytes sent from the source to the destination. + example: 184 + - name: domain + level: core + type: keyword + ignore_above: 1024 + description: Source domain. + - name: ip + level: core + type: ip + description: "IP address of the source. + + Can be one or multiple IPv4 or IPv6 addresses." + - name: packets + level: core + type: long + description: Packets sent from the source to the destination. + example: 12 + - name: port + level: core + type: long + format: string + description: Port of the source. + - name: registered_domain + level: extended + type: keyword + ignore_above: 1024 + description: + 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.google.com" is "google.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: google.com + - name: top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: + 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for google.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk +- name: target + title: Target + group: 2 + description: "These fields contain information about a target. + + These fields provide more context about the target process and thread that are + related to the data in the document. Useful in a security context where a target + process or thread may be acted on by another process or thread." + type: group + fields: + - name: process + level: extended + type: object + object_type: keyword + description: Process. + default_field: false + - name: thread.call_stack + level: custom + type: nested + description: TODO + default_field: false + - name: thread.call_stack.instruction_pointer + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: thread.call_stack.memory_section.memory_address + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: thread.call_stack.memory_section.memory_size + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: thread.call_stack.memory_section.protection + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: thread.call_stack.module_path + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: thread.call_stack.rva + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: thread.call_stack.symbol_info + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: thread.id + level: core + type: long + description: Thread id. + example: 3147 + default_field: false + - name: thread.name + level: extended + type: keyword + ignore_above: 1024 + description: Thread name. + example: thread-0 + default_field: false + - name: thread.service_name + level: extended + type: keyword + ignore_above: 1024 + description: Service associated with the thread. + example: VaultSvc + default_field: false + - name: thread.start + level: extended + type: date + description: The time the thread started. + example: "2016-05-23T08:05:34.853Z" + default_field: false + - name: thread.start_address + level: extended + type: keyword + ignore_above: 1024 + description: Memory address where the thread started. + example: 5442508 + default_field: false + - name: thread.start_address_module + level: extended + type: keyword + ignore_above: 1024 + description: TODO + example: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe + default_field: false + - name: thread.token.domain + level: extended + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: thread.token.impersonation_level + level: extended + type: keyword + ignore_above: 1024 + description: Impersonation level. Only valid for impersonation tokens. + default_field: false + - name: thread.token.integrity_level + level: extended + type: long + description: Numeric integrity level. + default_field: false + - name: thread.token.integrity_level_name + level: extended + type: keyword + ignore_above: 1024 + description: Human readable integrity level. + default_field: false + - name: thread.token.is_appcontainer + level: extended + type: boolean + description: Whether or not this is an appcontainer token. + default_field: false + - name: thread.token.privileges + level: extended + type: nested + description: Array describing the privileges associated with the token. + default_field: false + - name: thread.token.privileges.description + level: extended + type: keyword + ignore_above: 1024 + description: Description of the privilege. + default_field: false + - name: thread.token.privileges.enabled + level: extended + type: boolean + description: Whether or not the privilege is enabled. + default_field: false + - name: thread.token.privileges.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the privilege. + default_field: false + - name: thread.token.sid + level: extended + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: thread.token.type + level: extended + type: keyword + ignore_above: 1024 + description: Type of the token, either primary or impersonation. + default_field: false + - name: thread.token.user + level: extended + type: keyword + ignore_above: 1024 + description: Username of token owner. + default_field: false +- name: thread + title: Thread + group: 2 + description: TODO + type: group + fields: + - name: call_stack + level: custom + type: nested + description: TODO + default_field: false + - name: call_stack.instruction_pointer + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: call_stack.memory_section.memory_address + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: call_stack.memory_section.memory_size + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: call_stack.memory_section.protection + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: call_stack.module_path + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: call_stack.rva + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: call_stack.symbol_info + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: id + level: core + type: long + description: Thread id. + example: 3147 + default_field: false + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Thread name. + example: thread-0 + default_field: false + - name: service_name + level: extended + type: keyword + ignore_above: 1024 + description: Service associated with the thread. + example: VaultSvc + default_field: false + - name: start + level: extended + type: date + description: The time the thread started. + example: "2016-05-23T08:05:34.853Z" + default_field: false + - name: start_address + level: extended + type: keyword + ignore_above: 1024 + description: Memory address where the thread started. + example: 5442508 + default_field: false + - name: start_address_module + level: extended + type: keyword + ignore_above: 1024 + description: TODO + example: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe + default_field: false + - name: token.domain + level: extended + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: token.impersonation_level + level: extended + type: keyword + ignore_above: 1024 + description: Impersonation level. Only valid for impersonation tokens. + default_field: false + - name: token.integrity_level + level: extended + type: long + description: Numeric integrity level. + default_field: false + - name: token.integrity_level_name + level: extended + type: keyword + ignore_above: 1024 + description: Human readable integrity level. + default_field: false + - name: token.is_appcontainer + level: extended + type: boolean + description: Whether or not this is an appcontainer token. + default_field: false + - name: token.privileges + level: extended + type: nested + description: Array describing the privileges associated with the token. + default_field: false + - name: token.privileges.description + level: extended + type: keyword + ignore_above: 1024 + description: Description of the privilege. + default_field: false + - name: token.privileges.enabled + level: extended + type: boolean + description: Whether or not the privilege is enabled. + default_field: false + - name: token.privileges.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the privilege. + default_field: false + - name: token.sid + level: extended + type: keyword + ignore_above: 1024 + description: TODO + default_field: false + - name: token.type + level: extended + type: keyword + ignore_above: 1024 + description: Type of the token, either primary or impersonation. + default_field: false + - name: token.user + level: extended + type: keyword + ignore_above: 1024 + description: Username of token owner. + default_field: false +- name: threat + title: Threat + group: 2 + description: + 'Fields to classify events and alerts according to a threat taxonomy + such as the Mitre ATT&CK framework. + + These fields are for users to classify alerts from all of their sources (e.g. + IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to + capture the high level category of the threat (e.g. "impact"). The threat.technique.* + fields are meant to capture which kind of approach is used by this detected + threat, to accomplish the goal (e.g. "endpoint denial of service").' + type: group + fields: + - name: framework + level: extended + type: keyword + ignore_above: 1024 + description: + Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + - name: tactic.id + level: extended + type: keyword + ignore_above: 1024 + description: + The id of tactic used by this threat. You can use the Mitre ATT&CK + Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ + ) + example: TA0040 + - name: tactic.name + level: extended + type: keyword + ignore_above: 1024 + description: + Name of the type of tactic used by this threat. You can use the + Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ + ) + example: impact + - name: tactic.reference + level: extended + type: keyword + ignore_above: 1024 + description: + The reference url of tactic used by this threat. You can use the + Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ + ) + example: https://attack.mitre.org/tactics/TA0040/ + - name: technique.id + level: extended + type: keyword + ignore_above: 1024 + description: + The id of technique used by this tactic. You can use the Mitre + ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ + ) + example: T1499 + - name: technique.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: + The name of technique used by this tactic. You can use the Mitre + ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ + ) + example: endpoint denial of service + - name: technique.reference + level: extended + type: keyword + ignore_above: 1024 + description: + The reference url of technique used by this tactic. You can use + the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ + ) + example: https://attack.mitre.org/techniques/T1499/ +- name: user + title: User + group: 2 + description: + "The user fields describe information about the user that is relevant + to the event. + + Fields can have one entry or multiple entries. If a user has more than one id, + provide an array that includes all of them." + type: group + fields: + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: "Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name." + - name: email + level: extended + type: keyword + ignore_above: 1024 + description: User email address. + - name: full_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: User's full name, if available. + example: Albert Einstein + - name: group.domain + level: extended + type: keyword + ignore_above: 1024 + description: "Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name." + - name: group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: hash + level: extended + type: keyword + ignore_above: 1024 + description: + "Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used." + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifiers of the user. + - name: name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert diff --git a/dev/package-examples/endpoint-0.0.1/dataset/events/manifest.yml b/dev/package-examples/endpoint-0.0.1/dataset/events/manifest.yml new file mode 100644 index 000000000..ae6b0f6c2 --- /dev/null +++ b/dev/package-examples/endpoint-0.0.1/dataset/events/manifest.yml @@ -0,0 +1,6 @@ +title: Endpoint Events + +type: events + +# If set to true, this will be enabled by default in the input selection +default: true diff --git a/dev/package-examples/endpoint-0.0.1/dataset/metadata/fields/fields.yml b/dev/package-examples/endpoint-0.0.1/dataset/metadata/fields/fields.yml new file mode 100644 index 000000000..43d3b604d --- /dev/null +++ b/dev/package-examples/endpoint-0.0.1/dataset/metadata/fields/fields.yml @@ -0,0 +1,200 @@ +- name: "@timestamp" + level: core + required: true + type: date + description: "Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events." + example: "2016-05-23T08:05:34.853Z" +- name: agent + title: Agent + group: 2 + description: "The agent fields contain the data about the software entity, if + any, that collects, detects, or observes events on a host, or takes measurements + on a host. + + Examples include Beats. Agents may also run on observers. ECS agent.* fields + shall be populated with details of the agent running on the host or observer + where the event happened or the measurement was taken." + footnote: + "Examples: In the case of Beats for logs, the agent.name is filebeat. + For APM, it is the agent running in the app/service. The agent information does + not change if data is sent through queuing systems like Kafka, Redis, or processing + systems such as Logstash or APM Server." + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: "Unique identifier of this agent (if one exists). + + Example: For Beats this would be beat.id." + example: 8a4f500d + - name: name + level: core + type: keyword + ignore_above: 1024 + description: "Custom name of the agent. + + This is a name that can be given to an agent. This can be helpful if for example + two Filebeat instances are running on the same host but a human readable separation + is needed on which Filebeat instance data is coming from. + + If no name is given, the name is often left empty." + example: foo + - name: version + level: core + type: keyword + ignore_above: 1024 + description: Version of the agent. + example: 6.0.0-rc2 +- name: ecs + title: ECS + group: 2 + description: Meta-information specific to ECS. + type: group + fields: + - name: version + level: core + required: true + type: keyword + ignore_above: 1024 + description: + "ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events." + example: 1.0.0 +- name: endpoint + title: Endpoint + group: 2 + description: TODO + type: group + fields: + - name: policy.id + level: custom + type: keyword + ignore_above: 1024 + description: TODO + default_field: false +- name: event + title: Event + group: 2 + description: "The event fields are used for context information about the log + or metric event itself. + + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. Examples of log + events include a process starting on a host, a network packet being sent from + a source to a destination, or a network connection between a client and a server + being initiated or closed. A metric is defined as an event containing one or + more numerical or categorical measurements and the time at which the measurement + was taken. Examples of metric events include memory pressure measured on a host, + or vulnerabilities measured on a scanned host." + type: group + fields: + - name: created + level: core + type: date + description: + "event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent's or pipeline's ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used." + example: "2016-05-23T08:05:34.857Z" +- name: host + title: Host + group: 2 + description: "A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes." + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: "Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine." + - name: id + level: core + type: keyword + ignore_above: 1024 + description: "Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`." + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.variant + level: custom + type: keyword + ignore_above: 1024 + description: + A string value or phrase that further aid to classify or qualify + the operating system (OS). For example the distribution for a Linux OS will + be entered in this field. + example: Ubuntu + default_field: false + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 diff --git a/dev/package-examples/endpoint-0.0.1/dataset/metadata/manifest.yml b/dev/package-examples/endpoint-0.0.1/dataset/metadata/manifest.yml new file mode 100644 index 000000000..8a221b6ef --- /dev/null +++ b/dev/package-examples/endpoint-0.0.1/dataset/metadata/manifest.yml @@ -0,0 +1,8 @@ +title: Endpoint Metadata + +type: metrics + +# If set to true, this will be enabled by default in the input selection +default: true + + diff --git a/dev/package-examples/endpoint-0.0.1/docs/README.md b/dev/package-examples/endpoint-0.0.1/docs/README.md new file mode 100644 index 000000000..574870685 --- /dev/null +++ b/dev/package-examples/endpoint-0.0.1/docs/README.md @@ -0,0 +1,3 @@ +# Endpoint package + +This is a module for the Endpoint Kibana App and Elastic Endpoint. It sets up the templates, index patterns, aliases, and dashboards. diff --git a/dev/package-examples/endpoint-0.0.1/elasticsearch/ilm-policy/endpoint-ilm-policy.json b/dev/package-examples/endpoint-0.0.1/elasticsearch/ilm-policy/endpoint-ilm-policy.json new file mode 100644 index 000000000..22d340343 --- /dev/null +++ b/dev/package-examples/endpoint-0.0.1/elasticsearch/ilm-policy/endpoint-ilm-policy.json @@ -0,0 +1,14 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_size": "50GB", + "max_age": "30d" + } + } + } + } + } +} diff --git a/dev/package-examples/endpoint-0.0.1/manifest.yml b/dev/package-examples/endpoint-0.0.1/manifest.yml new file mode 100644 index 000000000..b32715e92 --- /dev/null +++ b/dev/package-examples/endpoint-0.0.1/manifest.yml @@ -0,0 +1,18 @@ +format_version: 1.0.0 +name: endpoint +title: Elastic Endpoint +description: This is the Elastic Endpoint package. +version: 0.0.1 +categories: ["security"] +# Options are experimental, beta, ga +release: beta +# The package type. The options for now are [integration, solution], more type might be added in the future. +# The default type is integration and will be set if empty. +type: solution +license: basic + +requirement: + elasticsearch: + versions: ">7.4.0" + kibana: + versions: ">7.4.0" diff --git a/util/package.go b/util/package.go index 9345ae83a..340da6516 100644 --- a/util/package.go +++ b/util/package.go @@ -21,8 +21,9 @@ import ( const defaultType = "integration" var CategoryTitles = map[string]string{ - "logs": "Logs", - "metrics": "Metrics", + "logs": "Logs", + "metrics": "Metrics", + "security": "Security", } type Package struct {