From 621e4a2014a2a37cdb4106f2c4e6b2b6814c4a90 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 6 Feb 2020 11:05:45 -0500 Subject: [PATCH] Mark which fields should be arrays. (#727) --- CHANGELOG.next.md | 1 + code/go/ecs/container.go | 2 +- code/go/ecs/host.go | 4 +- code/go/ecs/observer.go | 4 +- code/go/ecs/user.go | 2 +- docs/field-details.asciidoc | 793 +++++++++++++++++- generated/beats/fields.ecs.yml | 22 +- generated/csv/fields.csv | 1062 ++++++++++++------------- generated/ecs/ecs_flat.yml | 555 ++++++++++++- generated/ecs/ecs_nested.yml | 555 ++++++++++++- schemas/README.md | 8 +- schemas/base.yml | 2 + schemas/container.yml | 4 +- schemas/dns.yml | 6 + schemas/event.yml | 4 + schemas/file.yml | 2 + schemas/host.yml | 9 +- schemas/observer.yml | 8 +- schemas/process.yml | 4 + schemas/related.yml | 6 + schemas/threat.yml | 12 + schemas/tls.yml | 6 + schemas/tracing.yml | 5 +- schemas/user.yml | 2 +- schemas/vulnerability.yml | 2 + scripts/generators/asciidoc_fields.py | 7 + scripts/generators/csv_generator.py | 4 +- scripts/schema_reader.py | 1 + scripts/tests/test_ecs_spec.py | 6 + scripts/tests/test_schema_reader.py | 9 +- 30 files changed, 2495 insertions(+), 612 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 196058e144..fe3c9b8242 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -19,6 +19,7 @@ Thanks, you're awesome :-) --> #### Improvements * Temporary workaround for Beats templates' `default_field` growing too big. #687 +* Identify which fields should contain arrays of values, rather than scalar values. #727, #661 #### Deprecated diff --git a/code/go/ecs/container.go b/code/go/ecs/container.go index be47d0ce94..34c5698ba5 100644 --- a/code/go/ecs/container.go +++ b/code/go/ecs/container.go @@ -32,7 +32,7 @@ type Container struct { // Name of the image the container was built on. ImageName string `ecs:"image.name"` - // Container image tag. + // Container image tags. ImageTag string `ecs:"image.tag"` // Container name. diff --git a/code/go/ecs/host.go b/code/go/ecs/host.go index 96925dcc33..1d66d78832 100644 --- a/code/go/ecs/host.go +++ b/code/go/ecs/host.go @@ -41,10 +41,10 @@ type Host struct { // Example: The current usage of `beat.name`. ID string `ecs:"id"` - // Host ip address. + // Host ip addresses. IP string `ecs:"ip"` - // Host mac address. + // Host mac addresses. MAC string `ecs:"mac"` // Type of host. diff --git a/code/go/ecs/observer.go b/code/go/ecs/observer.go index c7b65f84af..055a732bc2 100644 --- a/code/go/ecs/observer.go +++ b/code/go/ecs/observer.go @@ -32,10 +32,10 @@ package ecs // and ETL components used in processing events or metrics are not considered // observers in ECS. type Observer struct { - // MAC address of the observer + // MAC addresses of the observer MAC string `ecs:"mac"` - // IP address of the observer. + // IP addresses of the observer. IP string `ecs:"ip"` // Hostname of the observer. diff --git a/code/go/ecs/user.go b/code/go/ecs/user.go index e80effb771..d010a054c9 100644 --- a/code/go/ecs/user.go +++ b/code/go/ecs/user.go @@ -24,7 +24,7 @@ package ecs // Fields can have one entry or multiple entries. If a user has more than one // id, provide an array that includes all of them. type User struct { - // One or multiple unique identifiers of the user. + // Unique identifiers of the user. ID string `ecs:"id"` // Short name or login of the user. diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index cd21b3ea4e..a6e5f024f2 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -23,6 +23,8 @@ Required field for all events. type: date + + example: `2016-05-23T08:05:34.853Z` | core @@ -38,6 +40,8 @@ Example: `docker` and `k8s` labels. type: object + + example: `{'application': 'foo-bar', 'env': 'production'}` | core @@ -53,6 +57,8 @@ If multiple messages exist, they can be combined into one message. type: text + + example: `Hello World` | core @@ -64,6 +70,11 @@ example: `Hello World` type: keyword + +Note: this field should contain an array of values. + + + example: `["production", "env2"]` | core @@ -94,6 +105,8 @@ This id normally changes across restarts, but `agent.id` does not. type: keyword + + example: `8a4f500f` | extended @@ -107,6 +120,8 @@ Example: For Beats this would be beat.id. type: keyword + + example: `8a4f500d` | core @@ -122,6 +137,8 @@ If no name is given, the name is often left empty. type: keyword + + example: `foo` | core @@ -135,6 +152,8 @@ The agent type stays always the same and should be given by the agent used. In c type: keyword + + example: `filebeat` | core @@ -146,6 +165,8 @@ example: `filebeat` type: keyword + + example: `6.0.0-rc2` | core @@ -172,6 +193,8 @@ An autonomous system (AS) is a collection of connected Internet Protocol (IP) ro type: long + + example: `15169` | extended @@ -189,6 +212,8 @@ Multi-fields: + + example: `Google LLC` | extended @@ -232,6 +257,8 @@ type: keyword + + | extended // =============================================================== @@ -241,6 +268,8 @@ type: keyword type: long + + example: `184` | core @@ -254,6 +283,8 @@ type: keyword + + | core // =============================================================== @@ -267,6 +298,8 @@ type: ip + + | core // =============================================================== @@ -278,6 +311,8 @@ type: keyword + + | core // =============================================================== @@ -291,6 +326,8 @@ type: ip + + | extended // =============================================================== @@ -304,6 +341,8 @@ type: long + + | extended // =============================================================== @@ -313,6 +352,8 @@ type: long type: long + + example: `12` | core @@ -326,6 +367,8 @@ type: long + + | core // =============================================================== @@ -339,6 +382,8 @@ This value can be determined precisely with a list like the public suffix list ( type: keyword + + example: `google.com` | extended @@ -352,6 +397,8 @@ This value can be determined precisely with a list like the public suffix list ( type: keyword + + example: `co.uk` | extended @@ -415,6 +462,8 @@ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. type: keyword + + example: `666777888999` | extended @@ -426,6 +475,8 @@ example: `666777888999` type: keyword + + example: `us-east-1c` | extended @@ -437,6 +488,8 @@ example: `us-east-1c` type: keyword + + example: `i-1234567890abcdef0` | extended @@ -450,6 +503,8 @@ type: keyword + + | extended // =============================================================== @@ -459,6 +514,8 @@ type: keyword type: keyword + + example: `t2.medium` | extended @@ -470,6 +527,8 @@ example: `t2.medium` type: keyword + + example: `aws` | extended @@ -481,6 +540,8 @@ example: `aws` type: keyword + + example: `us-east-1` | extended @@ -511,6 +572,8 @@ type: keyword + + | core // =============================================================== @@ -522,16 +585,23 @@ type: keyword + + | extended // =============================================================== | container.image.tag -| Container image tag. +| Container image tags. type: keyword +Note: this field should contain an array of values. + + + + | extended @@ -544,6 +614,8 @@ type: object + + | extended // =============================================================== @@ -555,6 +627,8 @@ type: keyword + + | extended // =============================================================== @@ -564,6 +638,8 @@ type: keyword type: keyword + + example: `docker` | extended @@ -596,6 +672,8 @@ type: keyword + + | extended // =============================================================== @@ -605,6 +683,8 @@ type: keyword type: long + + example: `184` | core @@ -618,6 +698,8 @@ type: keyword + + | core // =============================================================== @@ -631,6 +713,8 @@ type: ip + + | core // =============================================================== @@ -642,6 +726,8 @@ type: keyword + + | core // =============================================================== @@ -655,6 +741,8 @@ type: ip + + | extended // =============================================================== @@ -668,6 +756,8 @@ type: long + + | extended // =============================================================== @@ -677,6 +767,8 @@ type: long type: long + + example: `12` | core @@ -690,6 +782,8 @@ type: long + + | core // =============================================================== @@ -703,6 +797,8 @@ This value can be determined precisely with a list like the public suffix list ( type: keyword + + example: `google.com` | extended @@ -716,6 +812,8 @@ This value can be determined precisely with a list like the public suffix list ( type: keyword + + example: `co.uk` | extended @@ -784,6 +882,11 @@ Not all DNS data sources give all details about DNS answers. At minimum, answer type: object +Note: this field should contain an array of values. + + + + | extended @@ -794,6 +897,8 @@ type: object type: keyword + + example: `IN` | extended @@ -807,6 +912,8 @@ The meaning of this data depends on the type and class of the resource record. type: keyword + + example: `10.10.10.10` | extended @@ -820,6 +927,8 @@ If a chain of CNAME is being resolved, each answer's `name` should be the one th type: keyword + + example: `www.google.com` | extended @@ -831,6 +940,8 @@ example: `www.google.com` type: long + + example: `180` | extended @@ -842,6 +953,8 @@ example: `180` type: keyword + + example: `CNAME` | extended @@ -855,6 +968,11 @@ Expected values are: AA, TC, RD, RA, AD, CD, DO. type: keyword + +Note: this field should contain an array of values. + + + example: `['RD', 'RA']` | extended @@ -866,6 +984,8 @@ example: `['RD', 'RA']` type: keyword + + example: `62111` | extended @@ -877,6 +997,8 @@ example: `62111` type: keyword + + example: `QUERY` | extended @@ -888,6 +1010,8 @@ example: `QUERY` type: keyword + + example: `IN` | extended @@ -901,6 +1025,8 @@ If the name field contains non-printable characters (below 32 or above 126), tho type: keyword + + example: `www.google.com` | extended @@ -916,6 +1042,8 @@ This value can be determined precisely with a list like the public suffix list ( type: keyword + + example: `google.com` | extended @@ -929,6 +1057,8 @@ If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", type: keyword + + example: `www` | extended @@ -942,6 +1072,8 @@ This value can be determined precisely with a list like the public suffix list ( type: keyword + + example: `co.uk` | extended @@ -953,6 +1085,8 @@ example: `co.uk` type: keyword + + example: `AAAA` | extended @@ -966,6 +1100,11 @@ The `answers` array can be difficult to use, because of the variety of data form type: ip + +Note: this field should contain an array of values. + + + example: `['10.10.10.10', '10.10.10.11']` | extended @@ -977,6 +1116,8 @@ example: `['10.10.10.10', '10.10.10.11']` type: keyword + + example: `NOERROR` | extended @@ -992,6 +1133,8 @@ If your source of DNS events gives you answers as well, you should create one ev type: keyword + + example: `answer` | extended @@ -1020,6 +1163,8 @@ When querying across multiple indices -- which may conform to slightly different type: keyword + + example: `1.0.0` | core @@ -1050,6 +1195,8 @@ type: keyword + + | core // =============================================================== @@ -1061,6 +1208,8 @@ type: keyword + + | core // =============================================================== @@ -1072,6 +1221,8 @@ type: text + + | core // =============================================================== @@ -1089,6 +1240,8 @@ Multi-fields: + + | extended // =============================================================== @@ -1098,6 +1251,8 @@ Multi-fields: type: keyword + + example: `java.lang.NullPointerException` | extended @@ -1128,6 +1283,8 @@ This describes the information in the event. It is more specific than `event.cat type: keyword + + example: `user-password-change` | core @@ -1144,6 +1301,11 @@ This field is an array. This will allow proper categorization of some events tha type: keyword +Note: this field should contain an array of values. + + + + *Important*: The field value must be one of the following: authentication, database, driver, file, host, intrusion_detection, malware, package, process, web @@ -1163,6 +1325,8 @@ Some event sources use event codes to identify messages unambiguously, regardles type: keyword + + example: `4648` | extended @@ -1180,6 +1344,8 @@ In case the two timestamps are identical, @timestamp should be used. type: date + + example: `2016-05-23T08:05:34.857Z` | core @@ -1195,6 +1361,8 @@ It's recommended but not required to start the dataset name with the module name type: keyword + + example: `apache.access` | core @@ -1210,6 +1378,8 @@ type: long + + | core // =============================================================== @@ -1221,6 +1391,8 @@ type: date + + | extended // =============================================================== @@ -1230,6 +1402,8 @@ type: date type: keyword + + example: `123456789012345678901234567890ABCD` | extended @@ -1241,6 +1415,8 @@ example: `123456789012345678901234567890ABCD` type: keyword + + example: `8a4f500d` | core @@ -1256,6 +1432,8 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date + + example: `2016-05-23T08:05:35.101Z` | core @@ -1272,6 +1450,8 @@ The value of this field can be used to inform how these kinds of events should b type: keyword + + *Important*: The field value must be one of the following: alert, event, metric, state, pipeline_error, signal @@ -1291,6 +1471,8 @@ If your monitoring agent supports the concept of modules or plugins to process e type: keyword + + example: `apache` | core @@ -1304,6 +1486,8 @@ This field is not indexed and doc_values are disabled. It cannot be searched, bu type: keyword + + example: `Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232` | core @@ -1318,6 +1502,8 @@ example: `Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0& type: keyword + + *Important*: The field value must be one of the following: failure, success, unknown @@ -1337,6 +1523,8 @@ Event transports such as Syslog or the Windows Event Log typically mention the s type: keyword + + example: `kernel` | extended @@ -1350,6 +1538,8 @@ type: float + + | core // =============================================================== @@ -1363,6 +1553,8 @@ type: float + + | extended // =============================================================== @@ -1376,6 +1568,8 @@ type: long + + | extended // =============================================================== @@ -1389,6 +1583,8 @@ The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is m type: long + + example: `7` | core @@ -1402,6 +1598,8 @@ type: date + + | extended // =============================================================== @@ -1415,6 +1613,8 @@ type: keyword + + | extended // =============================================================== @@ -1429,6 +1629,11 @@ This field is an array. This will allow proper categorization of some events tha type: keyword +Note: this field should contain an array of values. + + + + *Important*: The field value must be one of the following: access, change, creation, deletion, end, error, info, installation, start @@ -1467,6 +1672,8 @@ type: date + + | extended // =============================================================== @@ -1478,6 +1685,11 @@ Attributes names will vary by platform. Here's a non-exhaustive list of values t type: keyword + +Note: this field should contain an array of values. + + + example: `["readonly", "system"]` | extended @@ -1493,6 +1705,8 @@ type: date + + | extended // =============================================================== @@ -1506,6 +1720,8 @@ type: date + + | extended // =============================================================== @@ -1515,6 +1731,8 @@ type: date type: keyword + + example: `sda` | extended @@ -1526,6 +1744,8 @@ example: `sda` type: keyword + + example: `/home/alice` | extended @@ -1539,6 +1759,8 @@ The value should be uppercase, and not include the colon. type: keyword + + example: `C` | extended @@ -1550,6 +1772,8 @@ example: `C` type: keyword + + example: `png` | extended @@ -1561,6 +1785,8 @@ example: `png` type: keyword + + example: `1001` | extended @@ -1572,6 +1798,8 @@ example: `1001` type: keyword + + example: `alice` | extended @@ -1583,6 +1811,8 @@ example: `alice` type: keyword + + example: `256383` | extended @@ -1594,6 +1824,8 @@ example: `256383` type: keyword + + example: `0640` | extended @@ -1607,6 +1839,8 @@ type: date + + | extended // =============================================================== @@ -1616,6 +1850,8 @@ type: date type: keyword + + example: `example.png` | extended @@ -1627,6 +1863,8 @@ example: `example.png` type: keyword + + example: `alice` | extended @@ -1644,6 +1882,8 @@ Multi-fields: + + example: `/home/alice/example.png` | extended @@ -1657,6 +1897,8 @@ Only relevant when `file.type` is "file". type: long + + example: `16384` | extended @@ -1676,6 +1918,8 @@ Multi-fields: + + | extended // =============================================================== @@ -1685,6 +1929,8 @@ Multi-fields: type: keyword + + example: `file` | extended @@ -1696,6 +1942,8 @@ example: `file` type: keyword + + example: `1001` | extended @@ -1747,6 +1995,8 @@ This geolocation information can be derived from techniques such as Geo IP, or b type: keyword + + example: `Montreal` | core @@ -1758,6 +2008,8 @@ example: `Montreal` type: keyword + + example: `North America` | core @@ -1769,6 +2021,8 @@ example: `North America` type: keyword + + example: `CA` | core @@ -1780,6 +2034,8 @@ example: `CA` type: keyword + + example: `Canada` | core @@ -1791,6 +2047,8 @@ example: `Canada` type: geo_point + + example: `{ "lon": -73.614830, "lat": 45.505918 }` | core @@ -1806,6 +2064,8 @@ Not typically used in automated geolocation. type: keyword + + example: `boston-dc` | extended @@ -1817,6 +2077,8 @@ example: `boston-dc` type: keyword + + example: `CA-QC` | core @@ -1828,6 +2090,8 @@ example: `CA-QC` type: keyword + + example: `Quebec` | core @@ -1867,6 +2131,8 @@ type: keyword + + | extended // =============================================================== @@ -1878,6 +2144,8 @@ type: keyword + + | extended // =============================================================== @@ -1889,6 +2157,8 @@ type: keyword + + | extended // =============================================================== @@ -1926,6 +2196,8 @@ type: keyword + + | extended // =============================================================== @@ -1937,6 +2209,8 @@ type: keyword + + | extended // =============================================================== @@ -1948,6 +2222,8 @@ type: keyword + + | extended // =============================================================== @@ -1959,6 +2235,8 @@ type: keyword + + | extended // =============================================================== @@ -1994,6 +2272,8 @@ ECS host.* fields should be populated with details about the host on which the e type: keyword + + example: `x86_64` | core @@ -2007,6 +2287,8 @@ For example, on Windows this could be the host's Active Directory domain or NetB type: keyword + + example: `CONTOSO` | extended @@ -2022,6 +2304,8 @@ type: keyword + + | core // =============================================================== @@ -2037,27 +2321,39 @@ type: keyword + + | core // =============================================================== | host.ip -| Host ip address. +| Host ip addresses. type: ip +Note: this field should contain an array of values. + + + + | core // =============================================================== | host.mac -| Host mac address. +| Host mac addresses. type: keyword +Note: this field should contain an array of values. + + + + | core @@ -2072,6 +2368,8 @@ type: keyword + + | core // =============================================================== @@ -2085,6 +2383,8 @@ type: keyword + + | core // =============================================================== @@ -2094,6 +2394,8 @@ type: keyword type: long + + example: `1325` | extended @@ -2155,6 +2457,8 @@ Fields related to HTTP activity. Use the `url` field set to store the url of the type: long + + example: `887` | extended @@ -2172,6 +2476,8 @@ Multi-fields: + + example: `Hello world` | extended @@ -2183,6 +2489,8 @@ example: `Hello world` type: long + + example: `1437` | extended @@ -2196,6 +2504,8 @@ The field value must be normalized to lowercase for querying. See the documentat type: keyword + + example: `get, post, put` | extended @@ -2207,6 +2517,8 @@ example: `get, post, put` type: keyword + + example: `https://blog.example.com/` | extended @@ -2218,6 +2530,8 @@ example: `https://blog.example.com/` type: long + + example: `887` | extended @@ -2235,6 +2549,8 @@ Multi-fields: + + example: `Hello world` | extended @@ -2246,6 +2562,8 @@ example: `Hello world` type: long + + example: `1437` | extended @@ -2257,6 +2575,8 @@ example: `1437` type: long + + example: `404` | extended @@ -2268,6 +2588,8 @@ example: `404` type: keyword + + example: `1.1` | extended @@ -2302,6 +2624,8 @@ Some examples are `warn`, `err`, `i`, `informational`. type: keyword + + example: `error` | core @@ -2313,6 +2637,8 @@ example: `error` type: keyword + + example: `org.elasticsearch.bootstrap.Bootstrap` | core @@ -2324,6 +2650,8 @@ example: `org.elasticsearch.bootstrap.Bootstrap` type: integer + + example: `42` | extended @@ -2335,6 +2663,8 @@ example: `42` type: keyword + + example: `Bootstrap.java` | extended @@ -2346,6 +2676,8 @@ example: `Bootstrap.java` type: keyword + + example: `init` | extended @@ -2361,6 +2693,8 @@ This field is not indexed and doc_values are disabled so it can't be queried but type: keyword + + example: `Sep 19 08:26:10 localhost My log` | core @@ -2374,6 +2708,8 @@ type: object + + | extended // =============================================================== @@ -2385,6 +2721,8 @@ According to RFCs 5424 and 3164, this value should be an integer between 0 and 2 type: long + + example: `23` | extended @@ -2396,6 +2734,8 @@ example: `23` type: keyword + + example: `local7` | extended @@ -2409,6 +2749,8 @@ According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This n type: long + + example: `135` | extended @@ -2422,6 +2764,8 @@ If the event source publishing via Syslog provides a different numeric severity type: long + + example: `3` | extended @@ -2435,6 +2779,8 @@ If the event source publishing via Syslog provides a different severity value (e type: keyword + + example: `Error` | extended @@ -2465,6 +2811,8 @@ The field value must be normalized to lowercase for querying. See the documentat type: keyword + + example: `aim` | extended @@ -2478,6 +2826,8 @@ If `source.bytes` and `destination.bytes` are known, `network.bytes` is their su type: long + + example: `368` | core @@ -2491,6 +2841,8 @@ Learn more at https://github.com/corelight/community-id-spec. type: keyword + + example: `1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=` | extended @@ -2520,6 +2872,8 @@ When mapping events from a network or perimeter-based monitoring context, popula type: keyword + + example: `inbound` | core @@ -2531,6 +2885,8 @@ example: `inbound` type: ip + + example: `192.1.1.2` | core @@ -2542,6 +2898,8 @@ example: `192.1.1.2` type: keyword + + example: `6` | extended @@ -2553,6 +2911,8 @@ example: `6` type: keyword + + example: `Guest Wifi` | extended @@ -2566,6 +2926,8 @@ If `source.packets` and `destination.packets` are known, `network.packets` is th type: long + + example: `24` | core @@ -2579,6 +2941,8 @@ The field value must be normalized to lowercase for querying. See the documentat type: keyword + + example: `http` | core @@ -2592,6 +2956,8 @@ The field value must be normalized to lowercase for querying. See the documentat type: keyword + + example: `tcp` | core @@ -2605,6 +2971,8 @@ The field value must be normalized to lowercase for querying. See the documentat type: keyword + + example: `ipv4` | core @@ -2635,27 +3003,39 @@ type: keyword + + | core // =============================================================== | observer.ip -| IP address of the observer. +| IP addresses of the observer. type: ip +Note: this field should contain an array of values. + + + + | core // =============================================================== | observer.mac -| MAC address of the observer +| MAC addresses of the observer type: keyword +Note: this field should contain an array of values. + + + + | core @@ -2670,6 +3050,8 @@ If no custom name is needed, the field can be left empty. type: keyword + + example: `1_proxySG` | extended @@ -2681,6 +3063,8 @@ example: `1_proxySG` type: keyword + + example: `s200` | extended @@ -2694,6 +3078,8 @@ type: keyword + + | extended // =============================================================== @@ -2705,6 +3091,8 @@ There is no predefined list of observer types. Some examples are `forwarder`, `f type: keyword + + example: `firewall` | core @@ -2716,6 +3104,8 @@ example: `firewall` type: keyword + + example: `Symantec` | core @@ -2729,6 +3119,8 @@ type: keyword + + | core // =============================================================== @@ -2786,6 +3178,8 @@ type: keyword + + | extended // =============================================================== @@ -2803,6 +3197,8 @@ Multi-fields: + + | extended // =============================================================== @@ -2827,6 +3223,8 @@ The OS fields contain information about the operating system. type: keyword + + example: `debian` | extended @@ -2844,6 +3242,8 @@ Multi-fields: + + example: `Mac OS Mojave` | extended @@ -2855,6 +3255,8 @@ example: `Mac OS Mojave` type: keyword + + example: `4.4.0-112-generic` | extended @@ -2872,6 +3274,8 @@ Multi-fields: + + example: `Mac OS X` | extended @@ -2883,6 +3287,8 @@ example: `Mac OS X` type: keyword + + example: `darwin` | extended @@ -2894,6 +3300,8 @@ example: `darwin` type: keyword + + example: `10.14.1` | extended @@ -2929,6 +3337,8 @@ These fields contain information about an installed software package. It contain type: keyword + + example: `x86_64` | extended @@ -2942,6 +3352,8 @@ For example use the commit SHA of a non-released package. type: keyword + + example: `36f4f7e89dd61b0988b12ee000b98966867710cd` | extended @@ -2953,6 +3365,8 @@ example: `36f4f7e89dd61b0988b12ee000b98966867710cd` type: keyword + + example: `68b329da9893e34099c7d8ad5cb9c940` | extended @@ -2964,6 +3378,8 @@ example: `68b329da9893e34099c7d8ad5cb9c940` type: keyword + + example: `Open source programming language to build simple/reliable/efficient software.` | extended @@ -2975,6 +3391,8 @@ example: `Open source programming language to build simple/reliable/efficient so type: keyword + + example: `global` | extended @@ -2988,6 +3406,8 @@ type: date + + | extended // =============================================================== @@ -2999,6 +3419,8 @@ Use a short name, e.g. the license identifier from SPDX License List where possi type: keyword + + example: `Apache License 2.0` | extended @@ -3010,6 +3432,8 @@ example: `Apache License 2.0` type: keyword + + example: `go` | extended @@ -3021,6 +3445,8 @@ example: `go` type: keyword + + example: `/usr/local/Cellar/go/1.12.9/` | extended @@ -3032,6 +3458,8 @@ example: `/usr/local/Cellar/go/1.12.9/` type: keyword + + example: `https://golang.org` | extended @@ -3043,6 +3471,8 @@ example: `https://golang.org` type: long + + example: `62231` | extended @@ -3056,6 +3486,8 @@ This should contain the package file type, rather than the package manager name. type: keyword + + example: `rpm` | extended @@ -3067,6 +3499,8 @@ example: `rpm` type: keyword + + example: `1.12.9` | extended @@ -3097,6 +3531,11 @@ May be filtered to protect sensitive information. type: keyword + +Note: this field should contain an array of values. + + + example: `['/usr/bin/ssh', '-l', 'user', '10.0.0.16']` | extended @@ -3110,6 +3549,8 @@ This field can be useful for querying or performing bucket analysis on how many type: long + + example: `4` | extended @@ -3129,6 +3570,8 @@ Multi-fields: + + example: `/usr/bin/ssh -l user 10.0.0.16` | extended @@ -3146,6 +3589,8 @@ Multi-fields: + + example: `/usr/bin/ssh` | extended @@ -3159,6 +3604,8 @@ The field should be absent if there is no exit code for the event (e.g. process type: long + + example: `137` | extended @@ -3178,6 +3625,8 @@ Multi-fields: + + example: `ssh` | extended @@ -3191,6 +3640,11 @@ May be filtered to protect sensitive information. type: keyword + +Note: this field should contain an array of values. + + + example: `['ssh', '-l', 'user', '10.0.0.16']` | extended @@ -3204,6 +3658,8 @@ This field can be useful for querying or performing bucket analysis on how many type: long + + example: `4` | extended @@ -3223,6 +3679,8 @@ Multi-fields: + + example: `/usr/bin/ssh -l user 10.0.0.16` | extended @@ -3240,6 +3698,8 @@ Multi-fields: + + example: `/usr/bin/ssh` | extended @@ -3253,6 +3713,8 @@ The field should be absent if there is no exit code for the event (e.g. process type: long + + example: `137` | extended @@ -3272,6 +3734,8 @@ Multi-fields: + + example: `ssh` | extended @@ -3285,6 +3749,8 @@ type: long + + | extended // =============================================================== @@ -3294,6 +3760,8 @@ type: long type: long + + example: `4242` | core @@ -3305,6 +3773,8 @@ example: `4242` type: long + + example: `4241` | extended @@ -3316,6 +3786,8 @@ example: `4241` type: date + + example: `2016-05-23T08:05:34.853Z` | extended @@ -3327,6 +3799,8 @@ example: `2016-05-23T08:05:34.853Z` type: long + + example: `4242` | extended @@ -3338,6 +3812,8 @@ example: `4242` type: keyword + + example: `thread-0` | extended @@ -3359,6 +3835,8 @@ Multi-fields: + + | extended // =============================================================== @@ -3368,6 +3846,8 @@ Multi-fields: type: long + + example: `1325` | extended @@ -3385,6 +3865,8 @@ Multi-fields: + + example: `/home/alice` | extended @@ -3398,6 +3880,8 @@ type: long + + | extended // =============================================================== @@ -3407,6 +3891,8 @@ type: long type: long + + example: `4242` | core @@ -3418,6 +3904,8 @@ example: `4242` type: long + + example: `4241` | extended @@ -3429,6 +3917,8 @@ example: `4241` type: date + + example: `2016-05-23T08:05:34.853Z` | extended @@ -3440,6 +3930,8 @@ example: `2016-05-23T08:05:34.853Z` type: long + + example: `4242` | extended @@ -3451,6 +3943,8 @@ example: `4242` type: keyword + + example: `thread-0` | extended @@ -3472,6 +3966,8 @@ Multi-fields: + + | extended // =============================================================== @@ -3481,6 +3977,8 @@ Multi-fields: type: long + + example: `1325` | extended @@ -3498,6 +3996,8 @@ Multi-fields: + + example: `/home/alice` | extended @@ -3549,6 +4049,8 @@ For Windows registry operations, such as SetValueEx and RegQueryValueEx, this co type: keyword + + example: `ZQBuAC0AVQBTAAAAZQBuAAAAAAA=` | extended @@ -3562,6 +4064,8 @@ Populated as an array when writing string data to the registry. For single strin type: keyword + + example: `["C:\rta\red_ttp\bin\myapp.exe"]` | core @@ -3573,6 +4077,8 @@ example: `["C:\rta\red_ttp\bin\myapp.exe"]` type: keyword + + example: `REG_SZ` | core @@ -3584,6 +4090,8 @@ example: `REG_SZ` type: keyword + + example: `HKLM` | core @@ -3595,6 +4103,8 @@ example: `HKLM` type: keyword + + example: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe` | core @@ -3606,6 +4116,8 @@ example: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti type: keyword + + example: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger` | core @@ -3617,6 +4129,8 @@ example: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution type: keyword + + example: `Debugger` | core @@ -3648,6 +4162,11 @@ A concrete example is IP addresses, which can be under host, observer, source, d type: keyword +Note: this field should contain an array of values. + + + + | extended @@ -3659,6 +4178,11 @@ type: keyword type: ip +Note: this field should contain an array of values. + + + + | extended @@ -3670,6 +4194,11 @@ type: ip type: keyword +Note: this field should contain an array of values. + + + + | extended @@ -3697,6 +4226,8 @@ Examples of data sources that would populate the rule fields include: network ad type: keyword + + example: `Attempted Information Leak` | extended @@ -3708,6 +4239,8 @@ example: `Attempted Information Leak` type: keyword + + example: `Block requests to public DNS over HTTPS / TLS protocols` | extended @@ -3719,6 +4252,8 @@ example: `Block requests to public DNS over HTTPS / TLS protocols` type: keyword + + example: `101` | extended @@ -3730,6 +4265,8 @@ example: `101` type: keyword + + example: `BLOCK_DNS_over_TLS` | extended @@ -3743,6 +4280,8 @@ The URL can point to the vendor's documentation about the rule. If that's not av type: keyword + + example: `https://en.wikipedia.org/wiki/DNS_over_TLS` | extended @@ -3754,6 +4293,8 @@ example: `https://en.wikipedia.org/wiki/DNS_over_TLS` type: keyword + + example: `Standard_Protocol_Filters` | extended @@ -3765,6 +4306,8 @@ example: `Standard_Protocol_Filters` type: keyword + + example: `1100110011` | extended @@ -3776,6 +4319,8 @@ example: `1100110011` type: keyword + + example: `1.1` | extended @@ -3810,6 +4355,8 @@ type: keyword + + | extended // =============================================================== @@ -3819,6 +4366,8 @@ type: keyword type: long + + example: `184` | core @@ -3832,6 +4381,8 @@ type: keyword + + | core // =============================================================== @@ -3845,6 +4396,8 @@ type: ip + + | core // =============================================================== @@ -3856,6 +4409,8 @@ type: keyword + + | core // =============================================================== @@ -3869,6 +4424,8 @@ type: ip + + | extended // =============================================================== @@ -3882,6 +4439,8 @@ type: long + + | extended // =============================================================== @@ -3891,6 +4450,8 @@ type: long type: long + + example: `12` | core @@ -3904,6 +4465,8 @@ type: long + + | core // =============================================================== @@ -3917,6 +4480,8 @@ This value can be determined precisely with a list like the public suffix list ( type: keyword + + example: `google.com` | extended @@ -3930,6 +4495,8 @@ This value can be determined precisely with a list like the public suffix list ( type: keyword + + example: `co.uk` | extended @@ -3995,6 +4562,8 @@ This id normally changes across restarts, but `service.id` does not. type: keyword + + example: `8a4f500f` | extended @@ -4010,6 +4579,8 @@ Note that if you need to see the events from one specific host of the service, y type: keyword + + example: `d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6` | core @@ -4025,6 +4596,8 @@ In the case of Elasticsearch the `service.name` could contain the cluster name. type: keyword + + example: `elasticsearch-metrics` | core @@ -4040,6 +4613,8 @@ In the case of Elasticsearch, the `service.node.name` could contain the unique n type: keyword + + example: `instance-0000000016` | extended @@ -4053,6 +4628,8 @@ type: keyword + + | core // =============================================================== @@ -4066,6 +4643,8 @@ Example: If logs or metrics are collected from Elasticsearch, `service.type` wou type: keyword + + example: `elasticsearch` | core @@ -4079,6 +4658,8 @@ This allows to look at a data set only for a specific version of a service. type: keyword + + example: `3.2.4` | core @@ -4111,6 +4692,8 @@ type: keyword + + | extended // =============================================================== @@ -4120,6 +4703,8 @@ type: keyword type: long + + example: `184` | core @@ -4133,6 +4718,8 @@ type: keyword + + | core // =============================================================== @@ -4146,6 +4733,8 @@ type: ip + + | core // =============================================================== @@ -4157,6 +4746,8 @@ type: keyword + + | core // =============================================================== @@ -4170,6 +4761,8 @@ type: ip + + | extended // =============================================================== @@ -4183,6 +4776,8 @@ type: long + + | extended // =============================================================== @@ -4192,6 +4787,8 @@ type: long type: long + + example: `12` | core @@ -4205,6 +4802,8 @@ type: long + + | core // =============================================================== @@ -4218,6 +4817,8 @@ This value can be determined precisely with a list like the public suffix list ( type: keyword + + example: `google.com` | extended @@ -4231,6 +4832,8 @@ This value can be determined precisely with a list like the public suffix list ( type: keyword + + example: `co.uk` | extended @@ -4294,6 +4897,8 @@ These fields are for users to classify alerts from all of their sources (e.g. ID type: keyword + + example: `MITRE ATT&CK` | extended @@ -4305,6 +4910,11 @@ example: `MITRE ATT&CK` type: keyword + +Note: this field should contain an array of values. + + + example: `TA0040` | extended @@ -4316,6 +4926,11 @@ example: `TA0040` type: keyword + +Note: this field should contain an array of values. + + + example: `impact` | extended @@ -4327,6 +4942,11 @@ example: `impact` type: keyword + +Note: this field should contain an array of values. + + + example: `https://attack.mitre.org/tactics/TA0040/` | extended @@ -4338,6 +4958,11 @@ example: `https://attack.mitre.org/tactics/TA0040/` type: keyword + +Note: this field should contain an array of values. + + + example: `T1499` | extended @@ -4355,6 +4980,11 @@ Multi-fields: + +Note: this field should contain an array of values. + + + example: `endpoint denial of service` | extended @@ -4366,6 +4996,11 @@ example: `endpoint denial of service` type: keyword + +Note: this field should contain an array of values. + + + example: `https://attack.mitre.org/techniques/T1499/` | extended @@ -4392,6 +5027,8 @@ Fields related to a TLS connection. These fields focus on the TLS protocol itsel type: keyword + + example: `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` | extended @@ -4403,6 +5040,8 @@ example: `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` type: keyword + + example: `MII...` | extended @@ -4414,6 +5053,11 @@ example: `MII...` type: keyword + +Note: this field should contain an array of values. + + + example: `['MII...', 'MII...']` | extended @@ -4425,6 +5069,8 @@ example: `['MII...', 'MII...']` type: keyword + + example: `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC` | extended @@ -4436,6 +5082,8 @@ example: `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC` type: keyword + + example: `9E393D93138888D288266C2D915214D1D1CCEB2A` | extended @@ -4447,6 +5095,8 @@ example: `9E393D93138888D288266C2D915214D1D1CCEB2A` type: keyword + + example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` | extended @@ -4458,6 +5108,8 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` type: keyword + + example: `CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com` | extended @@ -4469,6 +5121,8 @@ example: `CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com` type: keyword + + example: `d4e5b18d6b55c71272893221c96ba240` | extended @@ -4480,6 +5134,8 @@ example: `d4e5b18d6b55c71272893221c96ba240` type: date + + example: `2021-01-01T00:00:00.000Z` | extended @@ -4491,6 +5147,8 @@ example: `2021-01-01T00:00:00.000Z` type: date + + example: `1970-01-01T00:00:00.000Z` | extended @@ -4502,6 +5160,8 @@ example: `1970-01-01T00:00:00.000Z` type: keyword + + example: `www.elastic.co` | extended @@ -4513,6 +5173,8 @@ example: `www.elastic.co` type: keyword + + example: `CN=myclient, OU=Documentation Team, DC=mydomain, DC=com` | extended @@ -4524,6 +5186,11 @@ example: `CN=myclient, OU=Documentation Team, DC=mydomain, DC=com` type: keyword + +Note: this field should contain an array of values. + + + example: `['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']` | extended @@ -4535,6 +5202,8 @@ example: `['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_25 type: keyword + + example: `secp256r1` | extended @@ -4548,6 +5217,8 @@ type: boolean + + | extended // =============================================================== @@ -4557,6 +5228,8 @@ type: boolean type: keyword + + example: `http/1.1` | extended @@ -4570,6 +5243,8 @@ type: boolean + + | extended // =============================================================== @@ -4579,6 +5254,8 @@ type: boolean type: keyword + + example: `MII...` | extended @@ -4590,6 +5267,11 @@ example: `MII...` type: keyword + +Note: this field should contain an array of values. + + + example: `['MII...', 'MII...']` | extended @@ -4601,6 +5283,8 @@ example: `['MII...', 'MII...']` type: keyword + + example: `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC` | extended @@ -4612,6 +5296,8 @@ example: `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC` type: keyword + + example: `9E393D93138888D288266C2D915214D1D1CCEB2A` | extended @@ -4623,6 +5309,8 @@ example: `9E393D93138888D288266C2D915214D1D1CCEB2A` type: keyword + + example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` | extended @@ -4634,6 +5322,8 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` type: keyword + + example: `CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com` | extended @@ -4645,6 +5335,8 @@ example: `CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com` type: keyword + + example: `394441ab65754e2207b1e1b457b3641d` | extended @@ -4656,6 +5348,8 @@ example: `394441ab65754e2207b1e1b457b3641d` type: date + + example: `2021-01-01T00:00:00.000Z` | extended @@ -4667,6 +5361,8 @@ example: `2021-01-01T00:00:00.000Z` type: date + + example: `1970-01-01T00:00:00.000Z` | extended @@ -4678,6 +5374,8 @@ example: `1970-01-01T00:00:00.000Z` type: keyword + + example: `CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com` | extended @@ -4689,6 +5387,8 @@ example: `CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com` type: keyword + + example: `1.2` | extended @@ -4700,6 +5400,8 @@ example: `1.2` type: keyword + + example: `tls` | extended @@ -4728,6 +5430,8 @@ A trace groups multiple events like transactions that belong together. For examp type: keyword + + example: `4bf92f3577b34da6a3ce929d0e0e4736` | extended @@ -4741,6 +5445,8 @@ A transaction is the highest level of work measured within a service, such as a type: keyword + + example: `00f067aa0ba902b7` | extended @@ -4769,6 +5475,8 @@ In some cases a URL may refer to an IP and/or port directly, without a domain na type: keyword + + example: `www.elastic.co` | extended @@ -4784,6 +5492,8 @@ The leading period must not be included. For example, the value must be "png", n type: keyword + + example: `png` | extended @@ -4799,6 +5509,8 @@ type: keyword + + | extended // =============================================================== @@ -4814,6 +5526,8 @@ Multi-fields: + + example: `https://www.elastic.co:443/search?q=elasticsearch#top` | extended @@ -4835,6 +5549,8 @@ Multi-fields: + + example: `https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch` | extended @@ -4848,6 +5564,8 @@ type: keyword + + | extended // =============================================================== @@ -4859,6 +5577,8 @@ type: keyword + + | extended // =============================================================== @@ -4868,6 +5588,8 @@ type: keyword type: long + + example: `443` | extended @@ -4883,6 +5605,8 @@ type: keyword + + | extended // =============================================================== @@ -4896,6 +5620,8 @@ This value can be determined precisely with a list like the public suffix list ( type: keyword + + example: `google.com` | extended @@ -4909,6 +5635,8 @@ Note: The `:` is not part of the scheme. type: keyword + + example: `https` | extended @@ -4922,6 +5650,8 @@ This value can be determined precisely with a list like the public suffix list ( type: keyword + + example: `co.uk` | extended @@ -4935,6 +5665,8 @@ type: keyword + + | extended // =============================================================== @@ -4965,6 +5697,8 @@ type: keyword + + | extended // =============================================================== @@ -4976,6 +5710,8 @@ type: keyword + + | extended // =============================================================== @@ -4991,6 +5727,8 @@ Multi-fields: + + example: `Albert Einstein` | extended @@ -5006,17 +5744,21 @@ type: keyword + + | extended // =============================================================== | user.id -| One or multiple unique identifiers of the user. +| Unique identifiers of the user. type: keyword + + | core // =============================================================== @@ -5032,6 +5774,8 @@ Multi-fields: + + example: `albert` | core @@ -5087,6 +5831,8 @@ They often show up in web service logs coming from the parsed user agent string. type: keyword + + example: `iPhone` | extended @@ -5098,6 +5844,8 @@ example: `iPhone` type: keyword + + example: `Safari` | extended @@ -5115,6 +5863,8 @@ Multi-fields: + + example: `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1` | extended @@ -5126,6 +5876,8 @@ example: `Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605 type: keyword + + example: `12.0` | extended @@ -5177,6 +5929,11 @@ This field must be an array. type: keyword + +Note: this field should contain an array of values. + + + example: `["Firewall"]` | extended @@ -5188,6 +5945,8 @@ example: `["Firewall"]` type: keyword + + example: `CVSS` | extended @@ -5205,6 +5964,8 @@ Multi-fields: + + example: `In macOS before 2.12.6, there is a vulnerability in the RPC...` | extended @@ -5216,6 +5977,8 @@ example: `In macOS before 2.12.6, there is a vulnerability in the RPC...` type: keyword + + example: `CVE` | extended @@ -5227,6 +5990,8 @@ example: `CVE` type: keyword + + example: `CVE-2019-00001` | extended @@ -5238,6 +6003,8 @@ example: `CVE-2019-00001` type: keyword + + example: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111` | extended @@ -5249,6 +6016,8 @@ example: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111` type: keyword + + example: `20191018.0001` | extended @@ -5260,6 +6029,8 @@ example: `20191018.0001` type: keyword + + example: `Tenable` | extended @@ -5273,6 +6044,8 @@ Base scores cover an assessment for exploitability metrics (attack vector, compl type: float + + example: `5.5` | extended @@ -5286,6 +6059,8 @@ Environmental scores cover an assessment for any modified Base metrics, confiden type: float + + example: `5.5` | extended @@ -5301,6 +6076,8 @@ type: float + + | extended // =============================================================== @@ -5312,6 +6089,8 @@ CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit orga type: keyword + + example: `2.0` | extended @@ -5323,6 +6102,8 @@ example: `2.0` type: keyword + + example: `Critical` | extended diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index c692103f80..781def75cd 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -360,7 +360,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: user.name level: core type: keyword @@ -452,7 +452,7 @@ level: extended type: keyword ignore_above: 1024 - description: Container image tag. + description: Container image tags. - name: labels level: extended type: object @@ -680,7 +680,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: user.name level: core type: keyword @@ -1555,12 +1555,12 @@ - name: ip level: core type: ip - description: Host ip address. + description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 - description: Host mac address. + description: Host mac addresses. - name: name level: core type: keyword @@ -1683,7 +1683,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: user.name level: core type: keyword @@ -2079,12 +2079,12 @@ - name: ip level: core type: ip - description: IP address of the observer. + description: IP addresses of the observer. - name: mac level: core type: keyword ignore_above: 1024 - description: MAC address of the observer + description: MAC addresses of the observer - name: name level: extended type: keyword @@ -3077,7 +3077,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: user.name level: core type: keyword @@ -3388,7 +3388,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: user.name level: core type: keyword @@ -3938,7 +3938,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: name level: core type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 7386d21b88..0caa98ed32 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -1,531 +1,531 @@ -ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description -1.5.0-dev,true,base,@timestamp,date,core,2016-05-23T08:05:34.853Z,Date/time when the event originated. -1.5.0-dev,true,base,labels,object,core,"{'application': 'foo-bar', 'env': 'production'}",Custom key/value pairs. -1.5.0-dev,true,base,message,text,core,Hello World,Log message optimized for viewing in a log viewer. -1.5.0-dev,true,base,tags,keyword,core,"[""production"", ""env2""]",List of keywords used to tag each event. -1.5.0-dev,true,agent,agent.ephemeral_id,keyword,extended,8a4f500f,Ephemeral identifier of this agent. -1.5.0-dev,true,agent,agent.id,keyword,core,8a4f500d,Unique identifier of this agent. -1.5.0-dev,true,agent,agent.name,keyword,core,foo,Custom name of the agent. -1.5.0-dev,true,agent,agent.type,keyword,core,filebeat,Type of the agent. -1.5.0-dev,true,agent,agent.version,keyword,core,6.0.0-rc2,Version of the agent. -1.5.0-dev,true,as,as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -1.5.0-dev,true,as,as.organization.name,keyword,extended,Google LLC,Organization name. -1.5.0-dev,true,as,as.organization.name.text,text,extended,Google LLC,Organization name. -1.5.0-dev,true,client,client.address,keyword,extended,,Client network address. -1.5.0-dev,true,client,client.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -1.5.0-dev,true,client,client.as.organization.name,keyword,extended,Google LLC,Organization name. -1.5.0-dev,true,client,client.as.organization.name.text,text,extended,Google LLC,Organization name. -1.5.0-dev,true,client,client.bytes,long,core,184,Bytes sent from the client to the server. -1.5.0-dev,true,client,client.domain,keyword,core,,Client domain. -1.5.0-dev,true,client,client.geo.city_name,keyword,core,Montreal,City name. -1.5.0-dev,true,client,client.geo.continent_name,keyword,core,North America,Name of the continent. -1.5.0-dev,true,client,client.geo.country_iso_code,keyword,core,CA,Country ISO code. -1.5.0-dev,true,client,client.geo.country_name,keyword,core,Canada,Country name. -1.5.0-dev,true,client,client.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.5.0-dev,true,client,client.geo.name,keyword,extended,boston-dc,User-defined description of a location. -1.5.0-dev,true,client,client.geo.region_iso_code,keyword,core,CA-QC,Region ISO code. -1.5.0-dev,true,client,client.geo.region_name,keyword,core,Quebec,Region name. -1.5.0-dev,true,client,client.ip,ip,core,,IP address of the client. -1.5.0-dev,true,client,client.mac,keyword,core,,MAC address of the client. -1.5.0-dev,true,client,client.nat.ip,ip,extended,,Client NAT ip address -1.5.0-dev,true,client,client.nat.port,long,extended,,Client NAT port -1.5.0-dev,true,client,client.packets,long,core,12,Packets sent from the client to the server. -1.5.0-dev,true,client,client.port,long,core,,Port of the client. -1.5.0-dev,true,client,client.registered_domain,keyword,extended,google.com,"The highest registered client domain, stripped of the subdomain." -1.5.0-dev,true,client,client.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.5.0-dev,true,client,client.user.domain,keyword,extended,,Name of the directory the user is a member of. -1.5.0-dev,true,client,client.user.email,keyword,extended,,User email address. -1.5.0-dev,true,client,client.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available." -1.5.0-dev,true,client,client.user.full_name.text,text,extended,Albert Einstein,"User's full name, if available." -1.5.0-dev,true,client,client.user.group.domain,keyword,extended,,Name of the directory the group is a member of. -1.5.0-dev,true,client,client.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform. -1.5.0-dev,true,client,client.user.group.name,keyword,extended,,Name of the group. -1.5.0-dev,true,client,client.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form. -1.5.0-dev,true,client,client.user.id,keyword,core,,One or multiple unique identifiers of the user. -1.5.0-dev,true,client,client.user.name,keyword,core,albert,Short name or login of the user. -1.5.0-dev,true,client,client.user.name.text,text,core,albert,Short name or login of the user. -1.5.0-dev,true,cloud,cloud.account.id,keyword,extended,666777888999,The cloud account or organization id. -1.5.0-dev,true,cloud,cloud.availability_zone,keyword,extended,us-east-1c,Availability zone in which this host is running. -1.5.0-dev,true,cloud,cloud.instance.id,keyword,extended,i-1234567890abcdef0,Instance ID of the host machine. -1.5.0-dev,true,cloud,cloud.instance.name,keyword,extended,,Instance name of the host machine. -1.5.0-dev,true,cloud,cloud.machine.type,keyword,extended,t2.medium,Machine type of the host machine. -1.5.0-dev,true,cloud,cloud.provider,keyword,extended,aws,Name of the cloud provider. -1.5.0-dev,true,cloud,cloud.region,keyword,extended,us-east-1,Region in which this host is running. -1.5.0-dev,true,container,container.id,keyword,core,,Unique container id. -1.5.0-dev,true,container,container.image.name,keyword,extended,,Name of the image the container was built on. -1.5.0-dev,true,container,container.image.tag,keyword,extended,,Container image tag. -1.5.0-dev,true,container,container.labels,object,extended,,Image labels. -1.5.0-dev,true,container,container.name,keyword,extended,,Container name. -1.5.0-dev,true,container,container.runtime,keyword,extended,docker,Runtime managing this container. -1.5.0-dev,true,destination,destination.address,keyword,extended,,Destination network address. -1.5.0-dev,true,destination,destination.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -1.5.0-dev,true,destination,destination.as.organization.name,keyword,extended,Google LLC,Organization name. -1.5.0-dev,true,destination,destination.as.organization.name.text,text,extended,Google LLC,Organization name. -1.5.0-dev,true,destination,destination.bytes,long,core,184,Bytes sent from the destination to the source. -1.5.0-dev,true,destination,destination.domain,keyword,core,,Destination domain. -1.5.0-dev,true,destination,destination.geo.city_name,keyword,core,Montreal,City name. -1.5.0-dev,true,destination,destination.geo.continent_name,keyword,core,North America,Name of the continent. -1.5.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,CA,Country ISO code. -1.5.0-dev,true,destination,destination.geo.country_name,keyword,core,Canada,Country name. -1.5.0-dev,true,destination,destination.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.5.0-dev,true,destination,destination.geo.name,keyword,extended,boston-dc,User-defined description of a location. -1.5.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,CA-QC,Region ISO code. -1.5.0-dev,true,destination,destination.geo.region_name,keyword,core,Quebec,Region name. -1.5.0-dev,true,destination,destination.ip,ip,core,,IP address of the destination. -1.5.0-dev,true,destination,destination.mac,keyword,core,,MAC address of the destination. -1.5.0-dev,true,destination,destination.nat.ip,ip,extended,,Destination NAT ip -1.5.0-dev,true,destination,destination.nat.port,long,extended,,Destination NAT Port -1.5.0-dev,true,destination,destination.packets,long,core,12,Packets sent from the destination to the source. -1.5.0-dev,true,destination,destination.port,long,core,,Port of the destination. -1.5.0-dev,true,destination,destination.registered_domain,keyword,extended,google.com,"The highest registered destination domain, stripped of the subdomain." -1.5.0-dev,true,destination,destination.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.5.0-dev,true,destination,destination.user.domain,keyword,extended,,Name of the directory the user is a member of. -1.5.0-dev,true,destination,destination.user.email,keyword,extended,,User email address. -1.5.0-dev,true,destination,destination.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available." -1.5.0-dev,true,destination,destination.user.full_name.text,text,extended,Albert Einstein,"User's full name, if available." -1.5.0-dev,true,destination,destination.user.group.domain,keyword,extended,,Name of the directory the group is a member of. -1.5.0-dev,true,destination,destination.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform. -1.5.0-dev,true,destination,destination.user.group.name,keyword,extended,,Name of the group. -1.5.0-dev,true,destination,destination.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form. -1.5.0-dev,true,destination,destination.user.id,keyword,core,,One or multiple unique identifiers of the user. -1.5.0-dev,true,destination,destination.user.name,keyword,core,albert,Short name or login of the user. -1.5.0-dev,true,destination,destination.user.name.text,text,core,albert,Short name or login of the user. -1.5.0-dev,true,dns,dns.answers,object,extended,,Array of DNS answers. -1.5.0-dev,true,dns,dns.answers.class,keyword,extended,IN,The class of DNS data contained in this resource record. -1.5.0-dev,true,dns,dns.answers.data,keyword,extended,10.10.10.10,The data describing the resource. -1.5.0-dev,true,dns,dns.answers.name,keyword,extended,www.google.com,The domain name to which this resource record pertains. -1.5.0-dev,true,dns,dns.answers.ttl,long,extended,180,The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. -1.5.0-dev,true,dns,dns.answers.type,keyword,extended,CNAME,The type of data contained in this resource record. -1.5.0-dev,true,dns,dns.header_flags,keyword,extended,"['RD', 'RA']",Array of DNS header flags. -1.5.0-dev,true,dns,dns.id,keyword,extended,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -1.5.0-dev,true,dns,dns.op_code,keyword,extended,QUERY,The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. -1.5.0-dev,true,dns,dns.question.class,keyword,extended,IN,The class of records being queried. -1.5.0-dev,true,dns,dns.question.name,keyword,extended,www.google.com,The name being queried. -1.5.0-dev,true,dns,dns.question.registered_domain,keyword,extended,google.com,"The highest registered domain, stripped of the subdomain." -1.5.0-dev,true,dns,dns.question.subdomain,keyword,extended,www,The subdomain of the domain. -1.5.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.5.0-dev,true,dns,dns.question.type,keyword,extended,AAAA,The type of record being queried. -1.5.0-dev,true,dns,dns.resolved_ip,ip,extended,"['10.10.10.10', '10.10.10.11']",Array containing all IPs seen in answers.data -1.5.0-dev,true,dns,dns.response_code,keyword,extended,NOERROR,The DNS response code. -1.5.0-dev,true,dns,dns.type,keyword,extended,answer,"The type of DNS event captured, query or answer." -1.5.0-dev,true,ecs,ecs.version,keyword,core,1.0.0,ECS version this event conforms to. -1.5.0-dev,true,error,error.code,keyword,core,,Error code describing the error. -1.5.0-dev,true,error,error.id,keyword,core,,Unique identifier for the error. -1.5.0-dev,true,error,error.message,text,core,,Error message. -1.5.0-dev,false,error,error.stack_trace,keyword,extended,,The stack trace of this error in plain text. -1.5.0-dev,false,error,error.stack_trace.text,text,extended,,The stack trace of this error in plain text. -1.5.0-dev,true,error,error.type,keyword,extended,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -1.5.0-dev,true,event,event.action,keyword,core,user-password-change,The action captured by the event. -1.5.0-dev,true,event,event.category,keyword,core,authentication,Event category. The second categorization field in the hierarchy. -1.5.0-dev,true,event,event.code,keyword,extended,4648,Identification code for this event. -1.5.0-dev,true,event,event.created,date,core,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -1.5.0-dev,true,event,event.dataset,keyword,core,apache.access,Name of the dataset. -1.5.0-dev,true,event,event.duration,long,core,,Duration of the event in nanoseconds. -1.5.0-dev,true,event,event.end,date,extended,,event.end contains the date when the event ended or when the activity was last observed. -1.5.0-dev,true,event,event.hash,keyword,extended,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -1.5.0-dev,true,event,event.id,keyword,core,8a4f500d,Unique ID to describe the event. -1.5.0-dev,true,event,event.ingested,date,core,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -1.5.0-dev,true,event,event.kind,keyword,core,alert,The kind of the event. The highest categorization field in the hierarchy. -1.5.0-dev,true,event,event.module,keyword,core,apache,Name of the module this data is coming from. -1.5.0-dev,false,event,event.original,keyword,core,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -1.5.0-dev,true,event,event.outcome,keyword,core,success,The outcome of the event. The lowest categorization field in the hierarchy. -1.5.0-dev,true,event,event.provider,keyword,extended,kernel,Source of the event. -1.5.0-dev,true,event,event.risk_score,float,core,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -1.5.0-dev,true,event,event.risk_score_norm,float,extended,,Normalized risk score or priority of the event (0-100). -1.5.0-dev,true,event,event.sequence,long,extended,,Sequence number of the event. -1.5.0-dev,true,event,event.severity,long,core,7,Numeric severity of the event. -1.5.0-dev,true,event,event.start,date,extended,,event.start contains the date when the event started or when the activity was first observed. -1.5.0-dev,true,event,event.timezone,keyword,extended,,Event time zone. -1.5.0-dev,true,event,event.type,keyword,core,,Event type. The third categorization field in the hierarchy. -1.5.0-dev,true,file,file.accessed,date,extended,,Last time the file was accessed. -1.5.0-dev,true,file,file.attributes,keyword,extended,"[""readonly"", ""system""]",Array of file attributes. -1.5.0-dev,true,file,file.created,date,extended,,File creation time. -1.5.0-dev,true,file,file.ctime,date,extended,,Last time the file attributes or metadata changed. -1.5.0-dev,true,file,file.device,keyword,extended,sda,Device that is the source of the file. -1.5.0-dev,true,file,file.directory,keyword,extended,/home/alice,Directory where the file is located. -1.5.0-dev,true,file,file.drive_letter,keyword,extended,C,Drive letter where the file is located. -1.5.0-dev,true,file,file.extension,keyword,extended,png,File extension. -1.5.0-dev,true,file,file.gid,keyword,extended,1001,Primary group ID (GID) of the file. -1.5.0-dev,true,file,file.group,keyword,extended,alice,Primary group name of the file. -1.5.0-dev,true,file,file.hash.md5,keyword,extended,,MD5 hash. -1.5.0-dev,true,file,file.hash.sha1,keyword,extended,,SHA1 hash. -1.5.0-dev,true,file,file.hash.sha256,keyword,extended,,SHA256 hash. -1.5.0-dev,true,file,file.hash.sha512,keyword,extended,,SHA512 hash. -1.5.0-dev,true,file,file.inode,keyword,extended,256383,Inode representing the file in the filesystem. -1.5.0-dev,true,file,file.mode,keyword,extended,0640,Mode of the file in octal representation. -1.5.0-dev,true,file,file.mtime,date,extended,,Last time the file content was modified. -1.5.0-dev,true,file,file.name,keyword,extended,example.png,"Name of the file including the extension, without the directory." -1.5.0-dev,true,file,file.owner,keyword,extended,alice,File owner's username. -1.5.0-dev,true,file,file.path,keyword,extended,/home/alice/example.png,"Full path to the file, including the file name." -1.5.0-dev,true,file,file.path.text,text,extended,/home/alice/example.png,"Full path to the file, including the file name." -1.5.0-dev,true,file,file.size,long,extended,16384,File size in bytes. -1.5.0-dev,true,file,file.target_path,keyword,extended,,Target path for symlinks. -1.5.0-dev,true,file,file.target_path.text,text,extended,,Target path for symlinks. -1.5.0-dev,true,file,file.type,keyword,extended,file,"File type (file, dir, or symlink)." -1.5.0-dev,true,file,file.uid,keyword,extended,1001,The user ID (UID) or security identifier (SID) of the file owner. -1.5.0-dev,true,geo,geo.city_name,keyword,core,Montreal,City name. -1.5.0-dev,true,geo,geo.continent_name,keyword,core,North America,Name of the continent. -1.5.0-dev,true,geo,geo.country_iso_code,keyword,core,CA,Country ISO code. -1.5.0-dev,true,geo,geo.country_name,keyword,core,Canada,Country name. -1.5.0-dev,true,geo,geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.5.0-dev,true,geo,geo.name,keyword,extended,boston-dc,User-defined description of a location. -1.5.0-dev,true,geo,geo.region_iso_code,keyword,core,CA-QC,Region ISO code. -1.5.0-dev,true,geo,geo.region_name,keyword,core,Quebec,Region name. -1.5.0-dev,true,group,group.domain,keyword,extended,,Name of the directory the group is a member of. -1.5.0-dev,true,group,group.id,keyword,extended,,Unique identifier for the group on the system/platform. -1.5.0-dev,true,group,group.name,keyword,extended,,Name of the group. -1.5.0-dev,true,hash,hash.md5,keyword,extended,,MD5 hash. -1.5.0-dev,true,hash,hash.sha1,keyword,extended,,SHA1 hash. -1.5.0-dev,true,hash,hash.sha256,keyword,extended,,SHA256 hash. -1.5.0-dev,true,hash,hash.sha512,keyword,extended,,SHA512 hash. -1.5.0-dev,true,host,host.architecture,keyword,core,x86_64,Operating system architecture. -1.5.0-dev,true,host,host.domain,keyword,extended,CONTOSO,Name of the directory the group is a member of. -1.5.0-dev,true,host,host.geo.city_name,keyword,core,Montreal,City name. -1.5.0-dev,true,host,host.geo.continent_name,keyword,core,North America,Name of the continent. -1.5.0-dev,true,host,host.geo.country_iso_code,keyword,core,CA,Country ISO code. -1.5.0-dev,true,host,host.geo.country_name,keyword,core,Canada,Country name. -1.5.0-dev,true,host,host.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.5.0-dev,true,host,host.geo.name,keyword,extended,boston-dc,User-defined description of a location. -1.5.0-dev,true,host,host.geo.region_iso_code,keyword,core,CA-QC,Region ISO code. -1.5.0-dev,true,host,host.geo.region_name,keyword,core,Quebec,Region name. -1.5.0-dev,true,host,host.hostname,keyword,core,,Hostname of the host. -1.5.0-dev,true,host,host.id,keyword,core,,Unique host id. -1.5.0-dev,true,host,host.ip,ip,core,,Host ip address. -1.5.0-dev,true,host,host.mac,keyword,core,,Host mac address. -1.5.0-dev,true,host,host.name,keyword,core,,Name of the host. -1.5.0-dev,true,host,host.os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.5.0-dev,true,host,host.os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name." -1.5.0-dev,true,host,host.os.full.text,text,extended,Mac OS Mojave,"Operating system name, including the version or code name." -1.5.0-dev,true,host,host.os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string. -1.5.0-dev,true,host,host.os.name,keyword,extended,Mac OS X,"Operating system name, without the version." -1.5.0-dev,true,host,host.os.name.text,text,extended,Mac OS X,"Operating system name, without the version." -1.5.0-dev,true,host,host.os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.5.0-dev,true,host,host.os.version,keyword,extended,10.14.1,Operating system version as a raw string. -1.5.0-dev,true,host,host.type,keyword,core,,Type of host. -1.5.0-dev,true,host,host.uptime,long,extended,1325,Seconds the host has been up. -1.5.0-dev,true,host,host.user.domain,keyword,extended,,Name of the directory the user is a member of. -1.5.0-dev,true,host,host.user.email,keyword,extended,,User email address. -1.5.0-dev,true,host,host.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available." -1.5.0-dev,true,host,host.user.full_name.text,text,extended,Albert Einstein,"User's full name, if available." -1.5.0-dev,true,host,host.user.group.domain,keyword,extended,,Name of the directory the group is a member of. -1.5.0-dev,true,host,host.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform. -1.5.0-dev,true,host,host.user.group.name,keyword,extended,,Name of the group. -1.5.0-dev,true,host,host.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form. -1.5.0-dev,true,host,host.user.id,keyword,core,,One or multiple unique identifiers of the user. -1.5.0-dev,true,host,host.user.name,keyword,core,albert,Short name or login of the user. -1.5.0-dev,true,host,host.user.name.text,text,core,albert,Short name or login of the user. -1.5.0-dev,true,http,http.request.body.bytes,long,extended,887,Size in bytes of the request body. -1.5.0-dev,true,http,http.request.body.content,keyword,extended,Hello world,The full HTTP request body. -1.5.0-dev,true,http,http.request.body.content.text,text,extended,Hello world,The full HTTP request body. -1.5.0-dev,true,http,http.request.bytes,long,extended,1437,Total size in bytes of the request (body and headers). -1.5.0-dev,true,http,http.request.method,keyword,extended,"get, post, put",HTTP request method. -1.5.0-dev,true,http,http.request.referrer,keyword,extended,https://blog.example.com/,Referrer for this HTTP request. -1.5.0-dev,true,http,http.response.body.bytes,long,extended,887,Size in bytes of the response body. -1.5.0-dev,true,http,http.response.body.content,keyword,extended,Hello world,The full HTTP response body. -1.5.0-dev,true,http,http.response.body.content.text,text,extended,Hello world,The full HTTP response body. -1.5.0-dev,true,http,http.response.bytes,long,extended,1437,Total size in bytes of the response (body and headers). -1.5.0-dev,true,http,http.response.status_code,long,extended,404,HTTP response status code. -1.5.0-dev,true,http,http.version,keyword,extended,1.1,HTTP version. -1.5.0-dev,true,log,log.level,keyword,core,error,Log level of the log event. -1.5.0-dev,true,log,log.logger,keyword,core,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -1.5.0-dev,true,log,log.origin.file.line,integer,extended,42,The line number of the file which originated the log event. -1.5.0-dev,true,log,log.origin.file.name,keyword,extended,Bootstrap.java,The file which originated the log event. -1.5.0-dev,true,log,log.origin.function,keyword,extended,init,The function which originated the log event. -1.5.0-dev,false,log,log.original,keyword,core,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." -1.5.0-dev,true,log,log.syslog,object,extended,,Syslog metadata -1.5.0-dev,true,log,log.syslog.facility.code,long,extended,23,Syslog numeric facility of the event. -1.5.0-dev,true,log,log.syslog.facility.name,keyword,extended,local7,Syslog text-based facility of the event. -1.5.0-dev,true,log,log.syslog.priority,long,extended,135,Syslog priority of the event. -1.5.0-dev,true,log,log.syslog.severity.code,long,extended,3,Syslog numeric severity of the event. -1.5.0-dev,true,log,log.syslog.severity.name,keyword,extended,Error,Syslog text-based severity of the event. -1.5.0-dev,true,network,network.application,keyword,extended,aim,Application level protocol name. -1.5.0-dev,true,network,network.bytes,long,core,368,Total bytes transferred in both directions. -1.5.0-dev,true,network,network.community_id,keyword,extended,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -1.5.0-dev,true,network,network.direction,keyword,core,inbound,Direction of the network traffic. -1.5.0-dev,true,network,network.forwarded_ip,ip,core,192.1.1.2,Host IP address when the source IP address is the proxy. -1.5.0-dev,true,network,network.iana_number,keyword,extended,6,IANA Protocol Number. -1.5.0-dev,true,network,network.name,keyword,extended,Guest Wifi,Name given by operators to sections of their network. -1.5.0-dev,true,network,network.packets,long,core,24,Total packets transferred in both directions. -1.5.0-dev,true,network,network.protocol,keyword,core,http,L7 Network protocol name. -1.5.0-dev,true,network,network.transport,keyword,core,tcp,Protocol Name corresponding to the field `iana_number`. -1.5.0-dev,true,network,network.type,keyword,core,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -1.5.0-dev,true,observer,observer.geo.city_name,keyword,core,Montreal,City name. -1.5.0-dev,true,observer,observer.geo.continent_name,keyword,core,North America,Name of the continent. -1.5.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,CA,Country ISO code. -1.5.0-dev,true,observer,observer.geo.country_name,keyword,core,Canada,Country name. -1.5.0-dev,true,observer,observer.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.5.0-dev,true,observer,observer.geo.name,keyword,extended,boston-dc,User-defined description of a location. -1.5.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,CA-QC,Region ISO code. -1.5.0-dev,true,observer,observer.geo.region_name,keyword,core,Quebec,Region name. -1.5.0-dev,true,observer,observer.hostname,keyword,core,,Hostname of the observer. -1.5.0-dev,true,observer,observer.ip,ip,core,,IP address of the observer. -1.5.0-dev,true,observer,observer.mac,keyword,core,,MAC address of the observer -1.5.0-dev,true,observer,observer.name,keyword,extended,1_proxySG,Custom name of the observer. -1.5.0-dev,true,observer,observer.os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.5.0-dev,true,observer,observer.os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name." -1.5.0-dev,true,observer,observer.os.full.text,text,extended,Mac OS Mojave,"Operating system name, including the version or code name." -1.5.0-dev,true,observer,observer.os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string. -1.5.0-dev,true,observer,observer.os.name,keyword,extended,Mac OS X,"Operating system name, without the version." -1.5.0-dev,true,observer,observer.os.name.text,text,extended,Mac OS X,"Operating system name, without the version." -1.5.0-dev,true,observer,observer.os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.5.0-dev,true,observer,observer.os.version,keyword,extended,10.14.1,Operating system version as a raw string. -1.5.0-dev,true,observer,observer.product,keyword,extended,s200,The product name of the observer. -1.5.0-dev,true,observer,observer.serial_number,keyword,extended,,Observer serial number. -1.5.0-dev,true,observer,observer.type,keyword,core,firewall,The type of the observer the data is coming from. -1.5.0-dev,true,observer,observer.vendor,keyword,core,Symantec,Vendor name of the observer. -1.5.0-dev,true,observer,observer.version,keyword,core,,Observer version. -1.5.0-dev,true,organization,organization.id,keyword,extended,,Unique identifier for the organization. -1.5.0-dev,true,organization,organization.name,keyword,extended,,Organization name. -1.5.0-dev,true,organization,organization.name.text,text,extended,,Organization name. -1.5.0-dev,true,os,os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.5.0-dev,true,os,os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name." -1.5.0-dev,true,os,os.full.text,text,extended,Mac OS Mojave,"Operating system name, including the version or code name." -1.5.0-dev,true,os,os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string. -1.5.0-dev,true,os,os.name,keyword,extended,Mac OS X,"Operating system name, without the version." -1.5.0-dev,true,os,os.name.text,text,extended,Mac OS X,"Operating system name, without the version." -1.5.0-dev,true,os,os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.5.0-dev,true,os,os.version,keyword,extended,10.14.1,Operating system version as a raw string. -1.5.0-dev,true,package,package.architecture,keyword,extended,x86_64,Package architecture. -1.5.0-dev,true,package,package.build_version,keyword,extended,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -1.5.0-dev,true,package,package.checksum,keyword,extended,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -1.5.0-dev,true,package,package.description,keyword,extended,Open source programming language to build simple/reliable/efficient software.,Description of the package. -1.5.0-dev,true,package,package.install_scope,keyword,extended,global,"Indicating how the package was installed, e.g. user-local, global." -1.5.0-dev,true,package,package.installed,date,extended,,Time when package was installed. -1.5.0-dev,true,package,package.license,keyword,extended,Apache License 2.0,Package license -1.5.0-dev,true,package,package.name,keyword,extended,go,Package name -1.5.0-dev,true,package,package.path,keyword,extended,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -1.5.0-dev,true,package,package.reference,keyword,extended,https://golang.org,Package home page or reference URL -1.5.0-dev,true,package,package.size,long,extended,62231,Package size in bytes. -1.5.0-dev,true,package,package.type,keyword,extended,rpm,Package type -1.5.0-dev,true,package,package.version,keyword,extended,1.12.9,Package version -1.5.0-dev,true,process,process.args,keyword,extended,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. -1.5.0-dev,true,process,process.args_count,long,extended,4,Length of the process.args array. -1.5.0-dev,true,process,process.command_line,keyword,extended,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.5.0-dev,true,process,process.command_line.text,text,extended,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.5.0-dev,true,process,process.executable,keyword,extended,/usr/bin/ssh,Absolute path to the process executable. -1.5.0-dev,true,process,process.executable.text,text,extended,/usr/bin/ssh,Absolute path to the process executable. -1.5.0-dev,true,process,process.exit_code,long,extended,137,The exit code of the process. -1.5.0-dev,true,process,process.hash.md5,keyword,extended,,MD5 hash. -1.5.0-dev,true,process,process.hash.sha1,keyword,extended,,SHA1 hash. -1.5.0-dev,true,process,process.hash.sha256,keyword,extended,,SHA256 hash. -1.5.0-dev,true,process,process.hash.sha512,keyword,extended,,SHA512 hash. -1.5.0-dev,true,process,process.name,keyword,extended,ssh,Process name. -1.5.0-dev,true,process,process.name.text,text,extended,ssh,Process name. -1.5.0-dev,true,process,process.parent.args,keyword,extended,"['ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. -1.5.0-dev,true,process,process.parent.args_count,long,extended,4,Length of the process.args array. -1.5.0-dev,true,process,process.parent.command_line,keyword,extended,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.5.0-dev,true,process,process.parent.command_line.text,text,extended,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.5.0-dev,true,process,process.parent.executable,keyword,extended,/usr/bin/ssh,Absolute path to the process executable. -1.5.0-dev,true,process,process.parent.executable.text,text,extended,/usr/bin/ssh,Absolute path to the process executable. -1.5.0-dev,true,process,process.parent.exit_code,long,extended,137,The exit code of the process. -1.5.0-dev,true,process,process.parent.hash.md5,keyword,extended,,MD5 hash. -1.5.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,SHA1 hash. -1.5.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,SHA256 hash. -1.5.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,SHA512 hash. -1.5.0-dev,true,process,process.parent.name,keyword,extended,ssh,Process name. -1.5.0-dev,true,process,process.parent.name.text,text,extended,ssh,Process name. -1.5.0-dev,true,process,process.parent.pgid,long,extended,,Identifier of the group of processes the process belongs to. -1.5.0-dev,true,process,process.parent.pid,long,core,4242,Process id. -1.5.0-dev,true,process,process.parent.ppid,long,extended,4241,Parent process' pid. -1.5.0-dev,true,process,process.parent.start,date,extended,2016-05-23T08:05:34.853Z,The time the process started. -1.5.0-dev,true,process,process.parent.thread.id,long,extended,4242,Thread ID. -1.5.0-dev,true,process,process.parent.thread.name,keyword,extended,thread-0,Thread name. -1.5.0-dev,true,process,process.parent.title,keyword,extended,,Process title. -1.5.0-dev,true,process,process.parent.title.text,text,extended,,Process title. -1.5.0-dev,true,process,process.parent.uptime,long,extended,1325,Seconds the process has been up. -1.5.0-dev,true,process,process.parent.working_directory,keyword,extended,/home/alice,The working directory of the process. -1.5.0-dev,true,process,process.parent.working_directory.text,text,extended,/home/alice,The working directory of the process. -1.5.0-dev,true,process,process.pgid,long,extended,,Identifier of the group of processes the process belongs to. -1.5.0-dev,true,process,process.pid,long,core,4242,Process id. -1.5.0-dev,true,process,process.ppid,long,extended,4241,Parent process' pid. -1.5.0-dev,true,process,process.start,date,extended,2016-05-23T08:05:34.853Z,The time the process started. -1.5.0-dev,true,process,process.thread.id,long,extended,4242,Thread ID. -1.5.0-dev,true,process,process.thread.name,keyword,extended,thread-0,Thread name. -1.5.0-dev,true,process,process.title,keyword,extended,,Process title. -1.5.0-dev,true,process,process.title.text,text,extended,,Process title. -1.5.0-dev,true,process,process.uptime,long,extended,1325,Seconds the process has been up. -1.5.0-dev,true,process,process.working_directory,keyword,extended,/home/alice,The working directory of the process. -1.5.0-dev,true,process,process.working_directory.text,text,extended,/home/alice,The working directory of the process. -1.5.0-dev,true,registry,registry.data.bytes,keyword,extended,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -1.5.0-dev,true,registry,registry.data.strings,keyword,core,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -1.5.0-dev,true,registry,registry.data.type,keyword,core,REG_SZ,Standard registry type for encoding contents -1.5.0-dev,true,registry,registry.hive,keyword,core,HKLM,Abbreviated name for the hive. -1.5.0-dev,true,registry,registry.key,keyword,core,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -1.5.0-dev,true,registry,registry.path,keyword,core,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -1.5.0-dev,true,registry,registry.value,keyword,core,Debugger,Name of the value written. -1.5.0-dev,true,related,related.hash,keyword,extended,,All the hashes seen on your event. -1.5.0-dev,true,related,related.ip,ip,extended,,All of the IPs seen on your event. -1.5.0-dev,true,related,related.user,keyword,extended,,All the user names seen on your event. -1.5.0-dev,true,rule,rule.category,keyword,extended,Attempted Information Leak,Rule category -1.5.0-dev,true,rule,rule.description,keyword,extended,Block requests to public DNS over HTTPS / TLS protocols,Rule description -1.5.0-dev,true,rule,rule.id,keyword,extended,101,Rule ID -1.5.0-dev,true,rule,rule.name,keyword,extended,BLOCK_DNS_over_TLS,Rule name -1.5.0-dev,true,rule,rule.reference,keyword,extended,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -1.5.0-dev,true,rule,rule.ruleset,keyword,extended,Standard_Protocol_Filters,Rule ruleset -1.5.0-dev,true,rule,rule.uuid,keyword,extended,1100110011,Rule UUID -1.5.0-dev,true,rule,rule.version,keyword,extended,1.1,Rule version -1.5.0-dev,true,server,server.address,keyword,extended,,Server network address. -1.5.0-dev,true,server,server.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -1.5.0-dev,true,server,server.as.organization.name,keyword,extended,Google LLC,Organization name. -1.5.0-dev,true,server,server.as.organization.name.text,text,extended,Google LLC,Organization name. -1.5.0-dev,true,server,server.bytes,long,core,184,Bytes sent from the server to the client. -1.5.0-dev,true,server,server.domain,keyword,core,,Server domain. -1.5.0-dev,true,server,server.geo.city_name,keyword,core,Montreal,City name. -1.5.0-dev,true,server,server.geo.continent_name,keyword,core,North America,Name of the continent. -1.5.0-dev,true,server,server.geo.country_iso_code,keyword,core,CA,Country ISO code. -1.5.0-dev,true,server,server.geo.country_name,keyword,core,Canada,Country name. -1.5.0-dev,true,server,server.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.5.0-dev,true,server,server.geo.name,keyword,extended,boston-dc,User-defined description of a location. -1.5.0-dev,true,server,server.geo.region_iso_code,keyword,core,CA-QC,Region ISO code. -1.5.0-dev,true,server,server.geo.region_name,keyword,core,Quebec,Region name. -1.5.0-dev,true,server,server.ip,ip,core,,IP address of the server. -1.5.0-dev,true,server,server.mac,keyword,core,,MAC address of the server. -1.5.0-dev,true,server,server.nat.ip,ip,extended,,Server NAT ip -1.5.0-dev,true,server,server.nat.port,long,extended,,Server NAT port -1.5.0-dev,true,server,server.packets,long,core,12,Packets sent from the server to the client. -1.5.0-dev,true,server,server.port,long,core,,Port of the server. -1.5.0-dev,true,server,server.registered_domain,keyword,extended,google.com,"The highest registered server domain, stripped of the subdomain." -1.5.0-dev,true,server,server.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.5.0-dev,true,server,server.user.domain,keyword,extended,,Name of the directory the user is a member of. -1.5.0-dev,true,server,server.user.email,keyword,extended,,User email address. -1.5.0-dev,true,server,server.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available." -1.5.0-dev,true,server,server.user.full_name.text,text,extended,Albert Einstein,"User's full name, if available." -1.5.0-dev,true,server,server.user.group.domain,keyword,extended,,Name of the directory the group is a member of. -1.5.0-dev,true,server,server.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform. -1.5.0-dev,true,server,server.user.group.name,keyword,extended,,Name of the group. -1.5.0-dev,true,server,server.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form. -1.5.0-dev,true,server,server.user.id,keyword,core,,One or multiple unique identifiers of the user. -1.5.0-dev,true,server,server.user.name,keyword,core,albert,Short name or login of the user. -1.5.0-dev,true,server,server.user.name.text,text,core,albert,Short name or login of the user. -1.5.0-dev,true,service,service.ephemeral_id,keyword,extended,8a4f500f,Ephemeral identifier of this service. -1.5.0-dev,true,service,service.id,keyword,core,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -1.5.0-dev,true,service,service.name,keyword,core,elasticsearch-metrics,Name of the service. -1.5.0-dev,true,service,service.node.name,keyword,extended,instance-0000000016,Name of the service node. -1.5.0-dev,true,service,service.state,keyword,core,,Current state of the service. -1.5.0-dev,true,service,service.type,keyword,core,elasticsearch,The type of the service. -1.5.0-dev,true,service,service.version,keyword,core,3.2.4,Version of the service. -1.5.0-dev,true,source,source.address,keyword,extended,,Source network address. -1.5.0-dev,true,source,source.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -1.5.0-dev,true,source,source.as.organization.name,keyword,extended,Google LLC,Organization name. -1.5.0-dev,true,source,source.as.organization.name.text,text,extended,Google LLC,Organization name. -1.5.0-dev,true,source,source.bytes,long,core,184,Bytes sent from the source to the destination. -1.5.0-dev,true,source,source.domain,keyword,core,,Source domain. -1.5.0-dev,true,source,source.geo.city_name,keyword,core,Montreal,City name. -1.5.0-dev,true,source,source.geo.continent_name,keyword,core,North America,Name of the continent. -1.5.0-dev,true,source,source.geo.country_iso_code,keyword,core,CA,Country ISO code. -1.5.0-dev,true,source,source.geo.country_name,keyword,core,Canada,Country name. -1.5.0-dev,true,source,source.geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.5.0-dev,true,source,source.geo.name,keyword,extended,boston-dc,User-defined description of a location. -1.5.0-dev,true,source,source.geo.region_iso_code,keyword,core,CA-QC,Region ISO code. -1.5.0-dev,true,source,source.geo.region_name,keyword,core,Quebec,Region name. -1.5.0-dev,true,source,source.ip,ip,core,,IP address of the source. -1.5.0-dev,true,source,source.mac,keyword,core,,MAC address of the source. -1.5.0-dev,true,source,source.nat.ip,ip,extended,,Source NAT ip -1.5.0-dev,true,source,source.nat.port,long,extended,,Source NAT port -1.5.0-dev,true,source,source.packets,long,core,12,Packets sent from the source to the destination. -1.5.0-dev,true,source,source.port,long,core,,Port of the source. -1.5.0-dev,true,source,source.registered_domain,keyword,extended,google.com,"The highest registered source domain, stripped of the subdomain." -1.5.0-dev,true,source,source.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.5.0-dev,true,source,source.user.domain,keyword,extended,,Name of the directory the user is a member of. -1.5.0-dev,true,source,source.user.email,keyword,extended,,User email address. -1.5.0-dev,true,source,source.user.full_name,keyword,extended,Albert Einstein,"User's full name, if available." -1.5.0-dev,true,source,source.user.full_name.text,text,extended,Albert Einstein,"User's full name, if available." -1.5.0-dev,true,source,source.user.group.domain,keyword,extended,,Name of the directory the group is a member of. -1.5.0-dev,true,source,source.user.group.id,keyword,extended,,Unique identifier for the group on the system/platform. -1.5.0-dev,true,source,source.user.group.name,keyword,extended,,Name of the group. -1.5.0-dev,true,source,source.user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form. -1.5.0-dev,true,source,source.user.id,keyword,core,,One or multiple unique identifiers of the user. -1.5.0-dev,true,source,source.user.name,keyword,core,albert,Short name or login of the user. -1.5.0-dev,true,source,source.user.name.text,text,core,albert,Short name or login of the user. -1.5.0-dev,true,threat,threat.framework,keyword,extended,MITRE ATT&CK,Threat classification framework. -1.5.0-dev,true,threat,threat.tactic.id,keyword,extended,TA0040,Threat tactic id. -1.5.0-dev,true,threat,threat.tactic.name,keyword,extended,impact,Threat tactic. -1.5.0-dev,true,threat,threat.tactic.reference,keyword,extended,https://attack.mitre.org/tactics/TA0040/,Threat tactic url reference. -1.5.0-dev,true,threat,threat.technique.id,keyword,extended,T1499,Threat technique id. -1.5.0-dev,true,threat,threat.technique.name,keyword,extended,endpoint denial of service,Threat technique name. -1.5.0-dev,true,threat,threat.technique.name.text,text,extended,endpoint denial of service,Threat technique name. -1.5.0-dev,true,threat,threat.technique.reference,keyword,extended,https://attack.mitre.org/techniques/T1499/,Threat technique reference. -1.5.0-dev,true,tls,tls.cipher,keyword,extended,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -1.5.0-dev,true,tls,tls.client.certificate,keyword,extended,MII...,PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. -1.5.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. -1.5.0-dev,true,tls,tls.client.hash.md5,keyword,extended,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash." -1.5.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,9E393D93138888D288266C2D915214D1D1CCEB2A,"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash." -1.5.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash." -1.5.0-dev,true,tls,tls.client.issuer,keyword,extended,"CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -1.5.0-dev,true,tls,tls.client.ja3,keyword,extended,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -1.5.0-dev,true,tls,tls.client.not_after,date,extended,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -1.5.0-dev,true,tls,tls.client.not_before,date,extended,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -1.5.0-dev,true,tls,tls.client.server_name,keyword,extended,www.elastic.co,"Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`." -1.5.0-dev,true,tls,tls.client.subject,keyword,extended,"CN=myclient, OU=Documentation Team, DC=mydomain, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -1.5.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",Array of ciphers offered by the client during the client hello. -1.5.0-dev,true,tls,tls.curve,keyword,extended,secp256r1,"String indicating the curve used for the given cipher, when applicable." -1.5.0-dev,true,tls,tls.established,boolean,extended,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -1.5.0-dev,true,tls,tls.next_protocol,keyword,extended,http/1.1,"String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case." -1.5.0-dev,true,tls,tls.resumed,boolean,extended,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -1.5.0-dev,true,tls,tls.server.certificate,keyword,extended,MII...,PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. -1.5.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. -1.5.0-dev,true,tls,tls.server.hash.md5,keyword,extended,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash." -1.5.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,9E393D93138888D288266C2D915214D1D1CCEB2A,"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash." -1.5.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash." -1.5.0-dev,true,tls,tls.server.issuer,keyword,extended,"CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -1.5.0-dev,true,tls,tls.server.ja3s,keyword,extended,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -1.5.0-dev,true,tls,tls.server.not_after,date,extended,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -1.5.0-dev,true,tls,tls.server.not_before,date,extended,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -1.5.0-dev,true,tls,tls.server.subject,keyword,extended,"CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com",Subject of the x.509 certificate presented by the server. -1.5.0-dev,true,tls,tls.version,keyword,extended,1.2,Numeric part of the version parsed from the original string. -1.5.0-dev,true,tls,tls.version_protocol,keyword,extended,tls,Normalized lowercase protocol name parsed from original string. -1.5.0-dev,true,trace,trace.id,keyword,extended,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -1.5.0-dev,true,transaction,transaction.id,keyword,extended,00f067aa0ba902b7,Unique identifier of the transaction. -1.5.0-dev,true,url,url.domain,keyword,extended,www.elastic.co,Domain of the url. -1.5.0-dev,true,url,url.extension,keyword,extended,png,File extension from the original request url. -1.5.0-dev,true,url,url.fragment,keyword,extended,,Portion of the url after the `#`. -1.5.0-dev,true,url,url.full,keyword,extended,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.5.0-dev,true,url,url.full.text,text,extended,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.5.0-dev,true,url,url.original,keyword,extended,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.5.0-dev,true,url,url.original.text,text,extended,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.5.0-dev,true,url,url.password,keyword,extended,,Password of the request. -1.5.0-dev,true,url,url.path,keyword,extended,,"Path of the request, such as ""/search""." -1.5.0-dev,true,url,url.port,long,extended,443,"Port of the request, such as 443." -1.5.0-dev,true,url,url.query,keyword,extended,,Query string of the request. -1.5.0-dev,true,url,url.registered_domain,keyword,extended,google.com,"The highest registered url domain, stripped of the subdomain." -1.5.0-dev,true,url,url.scheme,keyword,extended,https,Scheme of the url. -1.5.0-dev,true,url,url.top_level_domain,keyword,extended,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.5.0-dev,true,url,url.username,keyword,extended,,Username of the request. -1.5.0-dev,true,user,user.domain,keyword,extended,,Name of the directory the user is a member of. -1.5.0-dev,true,user,user.email,keyword,extended,,User email address. -1.5.0-dev,true,user,user.full_name,keyword,extended,Albert Einstein,"User's full name, if available." -1.5.0-dev,true,user,user.full_name.text,text,extended,Albert Einstein,"User's full name, if available." -1.5.0-dev,true,user,user.group.domain,keyword,extended,,Name of the directory the group is a member of. -1.5.0-dev,true,user,user.group.id,keyword,extended,,Unique identifier for the group on the system/platform. -1.5.0-dev,true,user,user.group.name,keyword,extended,,Name of the group. -1.5.0-dev,true,user,user.hash,keyword,extended,,Unique user hash to correlate information for a user in anonymized form. -1.5.0-dev,true,user,user.id,keyword,core,,One or multiple unique identifiers of the user. -1.5.0-dev,true,user,user.name,keyword,core,albert,Short name or login of the user. -1.5.0-dev,true,user,user.name.text,text,core,albert,Short name or login of the user. -1.5.0-dev,true,user_agent,user_agent.device.name,keyword,extended,iPhone,Name of the device. -1.5.0-dev,true,user_agent,user_agent.name,keyword,extended,Safari,Name of the user agent. -1.5.0-dev,true,user_agent,user_agent.original,keyword,extended,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.5.0-dev,true,user_agent,user_agent.original.text,text,extended,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.5.0-dev,true,user_agent,user_agent.os.family,keyword,extended,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.5.0-dev,true,user_agent,user_agent.os.full,keyword,extended,Mac OS Mojave,"Operating system name, including the version or code name." -1.5.0-dev,true,user_agent,user_agent.os.full.text,text,extended,Mac OS Mojave,"Operating system name, including the version or code name." -1.5.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,4.4.0-112-generic,Operating system kernel version as a raw string. -1.5.0-dev,true,user_agent,user_agent.os.name,keyword,extended,Mac OS X,"Operating system name, without the version." -1.5.0-dev,true,user_agent,user_agent.os.name.text,text,extended,Mac OS X,"Operating system name, without the version." -1.5.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.5.0-dev,true,user_agent,user_agent.os.version,keyword,extended,10.14.1,Operating system version as a raw string. -1.5.0-dev,true,user_agent,user_agent.version,keyword,extended,12.0,Version of the user agent. -1.5.0-dev,true,vulnerability,vulnerability.category,keyword,extended,"[""Firewall""]",Category of a vulnerability. -1.5.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,CVSS,Classification of the vulnerability. -1.5.0-dev,true,vulnerability,vulnerability.description,keyword,extended,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.5.0-dev,true,vulnerability,vulnerability.description.text,text,extended,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.5.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,CVE,Identifier of the vulnerability. -1.5.0-dev,true,vulnerability,vulnerability.id,keyword,extended,CVE-2019-00001,ID of the vulnerability. -1.5.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -1.5.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,20191018.0001,Scan identification number. -1.5.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,Tenable,Name of the scanner vendor. -1.5.0-dev,true,vulnerability,vulnerability.score.base,float,extended,5.5,Vulnerability Base score. -1.5.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,5.5,Vulnerability Environmental score. -1.5.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,Vulnerability Temporal score. -1.5.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,2.0,CVSS version. -1.5.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,Critical,Severity of the vulnerability. +ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description +1.5.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +1.5.0-dev,true,base,labels,object,core,,"{'application': 'foo-bar', 'env': 'production'}",Custom key/value pairs. +1.5.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. +1.5.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +1.5.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +1.5.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +1.5.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +1.5.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +1.5.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +1.5.0-dev,true,as,as.number,long,extended,,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +1.5.0-dev,true,as,as.organization.name,keyword,extended,,Google LLC,Organization name. +1.5.0-dev,true,as,as.organization.name.text,text,extended,,Google LLC,Organization name. +1.5.0-dev,true,client,client.address,keyword,extended,,,Client network address. +1.5.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +1.5.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.5.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.5.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +1.5.0-dev,true,client,client.domain,keyword,core,,,Client domain. +1.5.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +1.5.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +1.5.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.5.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +1.5.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.5.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.5.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.5.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +1.5.0-dev,true,client,client.ip,ip,core,,,IP address of the client. +1.5.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. +1.5.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +1.5.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port +1.5.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +1.5.0-dev,true,client,client.port,long,core,,,Port of the client. +1.5.0-dev,true,client,client.registered_domain,keyword,extended,,google.com,"The highest registered client domain, stripped of the subdomain." +1.5.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.5.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.5.0-dev,true,client,client.user.email,keyword,extended,,,User email address. +1.5.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.5.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.5.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.5.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.5.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. +1.5.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.5.0-dev,true,client,client.user.id,keyword,core,,,Unique identifiers of the user. +1.5.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user. +1.5.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. +1.5.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +1.5.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. +1.5.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +1.5.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +1.5.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +1.5.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +1.5.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +1.5.0-dev,true,container,container.id,keyword,core,,,Unique container id. +1.5.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +1.5.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. +1.5.0-dev,true,container,container.labels,object,extended,,,Image labels. +1.5.0-dev,true,container,container.name,keyword,extended,,,Container name. +1.5.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +1.5.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. +1.5.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +1.5.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.5.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.5.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +1.5.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain. +1.5.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +1.5.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +1.5.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.5.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +1.5.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.5.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.5.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.5.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +1.5.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. +1.5.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. +1.5.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +1.5.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +1.5.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +1.5.0-dev,true,destination,destination.port,long,core,,,Port of the destination. +1.5.0-dev,true,destination,destination.registered_domain,keyword,extended,,google.com,"The highest registered destination domain, stripped of the subdomain." +1.5.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.5.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.5.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address. +1.5.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.5.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.5.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.5.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.5.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +1.5.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.5.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifiers of the user. +1.5.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user. +1.5.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +1.5.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. +1.5.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +1.5.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. +1.5.0-dev,true,dns,dns.answers.name,keyword,extended,,www.google.com,The domain name to which this resource record pertains. +1.5.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. +1.5.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +1.5.0-dev,true,dns,dns.header_flags,keyword,extended,array,"['RD', 'RA']",Array of DNS header flags. +1.5.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +1.5.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. +1.5.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +1.5.0-dev,true,dns,dns.question.name,keyword,extended,,www.google.com,The name being queried. +1.5.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,google.com,"The highest registered domain, stripped of the subdomain." +1.5.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +1.5.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.5.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +1.5.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"['10.10.10.10', '10.10.10.11']",Array containing all IPs seen in answers.data +1.5.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +1.5.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +1.5.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +1.5.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. +1.5.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. +1.5.0-dev,true,error,error.message,text,core,,,Error message. +1.5.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text. +1.5.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +1.5.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +1.5.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +1.5.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +1.5.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. +1.5.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +1.5.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +1.5.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +1.5.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +1.5.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +1.5.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +1.5.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +1.5.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +1.5.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +1.5.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +1.5.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest categorization field in the hierarchy. +1.5.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. +1.5.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +1.5.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +1.5.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. +1.5.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. +1.5.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +1.5.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. +1.5.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +1.5.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. +1.5.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.5.0-dev,true,file,file.created,date,extended,,,File creation time. +1.5.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.5.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +1.5.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. +1.5.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.5.0-dev,true,file,file.extension,keyword,extended,,png,File extension. +1.5.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.5.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +1.5.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +1.5.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +1.5.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +1.5.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +1.5.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.5.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.5.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. +1.5.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.5.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. +1.5.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.5.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.5.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. +1.5.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks. +1.5.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. +1.5.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.5.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.5.0-dev,true,geo,geo.city_name,keyword,core,,Montreal,City name. +1.5.0-dev,true,geo,geo.continent_name,keyword,core,,North America,Name of the continent. +1.5.0-dev,true,geo,geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.5.0-dev,true,geo,geo.country_name,keyword,core,,Canada,Country name. +1.5.0-dev,true,geo,geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.5.0-dev,true,geo,geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.5.0-dev,true,geo,geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.5.0-dev,true,geo,geo.region_name,keyword,core,,Quebec,Region name. +1.5.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.5.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.5.0-dev,true,group,group.name,keyword,extended,,,Name of the group. +1.5.0-dev,true,hash,hash.md5,keyword,extended,,,MD5 hash. +1.5.0-dev,true,hash,hash.sha1,keyword,extended,,,SHA1 hash. +1.5.0-dev,true,hash,hash.sha256,keyword,extended,,,SHA256 hash. +1.5.0-dev,true,hash,hash.sha512,keyword,extended,,,SHA512 hash. +1.5.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +1.5.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +1.5.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +1.5.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +1.5.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.5.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +1.5.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.5.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.5.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.5.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +1.5.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host. +1.5.0-dev,true,host,host.id,keyword,core,,,Unique host id. +1.5.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. +1.5.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. +1.5.0-dev,true,host,host.name,keyword,core,,,Name of the host. +1.5.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.5.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.5.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.5.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.5.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.5.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.5.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.5.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.5.0-dev,true,host,host.type,keyword,core,,,Type of host. +1.5.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +1.5.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.5.0-dev,true,host,host.user.email,keyword,extended,,,User email address. +1.5.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.5.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.5.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.5.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.5.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. +1.5.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.5.0-dev,true,host,host.user.id,keyword,core,,,Unique identifiers of the user. +1.5.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user. +1.5.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. +1.5.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +1.5.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body. +1.5.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. +1.5.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +1.5.0-dev,true,http,http.request.method,keyword,extended,,"get, post, put",HTTP request method. +1.5.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. +1.5.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +1.5.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body. +1.5.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. +1.5.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +1.5.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +1.5.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. +1.5.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. +1.5.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +1.5.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. +1.5.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The file which originated the log event. +1.5.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +1.5.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." +1.5.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata +1.5.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +1.5.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +1.5.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +1.5.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +1.5.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +1.5.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. +1.5.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +1.5.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +1.5.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +1.5.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +1.5.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +1.5.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +1.5.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +1.5.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. +1.5.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +1.5.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +1.5.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +1.5.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +1.5.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.5.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +1.5.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.5.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.5.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.5.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +1.5.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +1.5.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +1.5.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer +1.5.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +1.5.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.5.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.5.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.5.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.5.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.5.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.5.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.5.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.5.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +1.5.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +1.5.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +1.5.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +1.5.0-dev,true,observer,observer.version,keyword,core,,,Observer version. +1.5.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +1.5.0-dev,true,organization,organization.name,keyword,extended,,,Organization name. +1.5.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. +1.5.0-dev,true,os,os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.5.0-dev,true,os,os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.5.0-dev,true,os,os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.5.0-dev,true,os,os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.5.0-dev,true,os,os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.5.0-dev,true,os,os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.5.0-dev,true,os,os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.5.0-dev,true,os,os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.5.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +1.5.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +1.5.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +1.5.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +1.5.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +1.5.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. +1.5.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +1.5.0-dev,true,package,package.name,keyword,extended,,go,Package name +1.5.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +1.5.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +1.5.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. +1.5.0-dev,true,package,package.type,keyword,extended,,rpm,Package type +1.5.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version +1.5.0-dev,true,process,process.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. +1.5.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. +1.5.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.5.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.5.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.5.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.5.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. +1.5.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +1.5.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +1.5.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +1.5.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +1.5.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. +1.5.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. +1.5.0-dev,true,process,process.parent.args,keyword,extended,array,"['ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. +1.5.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +1.5.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.5.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.5.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.5.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.5.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +1.5.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +1.5.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +1.5.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +1.5.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +1.5.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name. +1.5.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. +1.5.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.5.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. +1.5.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. +1.5.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.5.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +1.5.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. +1.5.0-dev,true,process,process.parent.title,keyword,extended,,,Process title. +1.5.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. +1.5.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +1.5.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. +1.5.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.5.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.5.0-dev,true,process,process.pid,long,core,,4242,Process id. +1.5.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. +1.5.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.5.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. +1.5.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. +1.5.0-dev,true,process,process.title,keyword,extended,,,Process title. +1.5.0-dev,true,process,process.title.text,text,extended,,,Process title. +1.5.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +1.5.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. +1.5.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.5.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.5.0-dev,true,registry,registry.data.strings,keyword,core,,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.5.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.5.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.5.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.5.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.5.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +1.5.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +1.5.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +1.5.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. +1.5.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +1.5.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +1.5.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID +1.5.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +1.5.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +1.5.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +1.5.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +1.5.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version +1.5.0-dev,true,server,server.address,keyword,extended,,,Server network address. +1.5.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +1.5.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.5.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.5.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +1.5.0-dev,true,server,server.domain,keyword,core,,,Server domain. +1.5.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +1.5.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +1.5.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.5.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +1.5.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.5.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.5.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.5.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +1.5.0-dev,true,server,server.ip,ip,core,,,IP address of the server. +1.5.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. +1.5.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip +1.5.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port +1.5.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +1.5.0-dev,true,server,server.port,long,core,,,Port of the server. +1.5.0-dev,true,server,server.registered_domain,keyword,extended,,google.com,"The highest registered server domain, stripped of the subdomain." +1.5.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.5.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.5.0-dev,true,server,server.user.email,keyword,extended,,,User email address. +1.5.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.5.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.5.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.5.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.5.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. +1.5.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.5.0-dev,true,server,server.user.id,keyword,core,,,Unique identifiers of the user. +1.5.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user. +1.5.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. +1.5.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +1.5.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +1.5.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +1.5.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +1.5.0-dev,true,service,service.state,keyword,core,,,Current state of the service. +1.5.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +1.5.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. +1.5.0-dev,true,source,source.address,keyword,extended,,,Source network address. +1.5.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +1.5.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.5.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.5.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +1.5.0-dev,true,source,source.domain,keyword,core,,,Source domain. +1.5.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +1.5.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +1.5.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.5.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +1.5.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.5.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.5.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.5.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +1.5.0-dev,true,source,source.ip,ip,core,,,IP address of the source. +1.5.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. +1.5.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip +1.5.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port +1.5.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +1.5.0-dev,true,source,source.port,long,core,,,Port of the source. +1.5.0-dev,true,source,source.registered_domain,keyword,extended,,google.com,"The highest registered source domain, stripped of the subdomain." +1.5.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.5.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.5.0-dev,true,source,source.user.email,keyword,extended,,,User email address. +1.5.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.5.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.5.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.5.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.5.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. +1.5.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.5.0-dev,true,source,source.user.id,keyword,core,,,Unique identifiers of the user. +1.5.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user. +1.5.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. +1.5.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +1.5.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0040,Threat tactic id. +1.5.0-dev,true,threat,threat.tactic.name,keyword,extended,array,impact,Threat tactic. +1.5.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0040/,Threat tactic url reference. +1.5.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1499,Threat technique id. +1.5.0-dev,true,threat,threat.technique.name,keyword,extended,array,endpoint denial of service,Threat technique name. +1.5.0-dev,true,threat,threat.technique.name.text,text,extended,,endpoint denial of service,Threat technique name. +1.5.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1499/,Threat technique reference. +1.5.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +1.5.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. +1.5.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. +1.5.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash." +1.5.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash." +1.5.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash." +1.5.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +1.5.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +1.5.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +1.5.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +1.5.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,"Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`." +1.5.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=mydomain, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +1.5.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",Array of ciphers offered by the client during the client hello. +1.5.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +1.5.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +1.5.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,"String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case." +1.5.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +1.5.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +1.5.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +1.5.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,"Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash." +1.5.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,"Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash." +1.5.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,"Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash." +1.5.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +1.5.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +1.5.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +1.5.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +1.5.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com",Subject of the x.509 certificate presented by the server. +1.5.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +1.5.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +1.5.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +1.5.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction. +1.5.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. +1.5.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url. +1.5.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +1.5.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.5.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.5.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.5.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.5.0-dev,true,url,url.password,keyword,extended,,,Password of the request. +1.5.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""." +1.5.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +1.5.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. +1.5.0-dev,true,url,url.registered_domain,keyword,extended,,google.com,"The highest registered url domain, stripped of the subdomain." +1.5.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +1.5.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.5.0-dev,true,url,url.username,keyword,extended,,,Username of the request. +1.5.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.5.0-dev,true,user,user.email,keyword,extended,,,User email address. +1.5.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.5.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.5.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.5.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.5.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. +1.5.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.5.0-dev,true,user,user.id,keyword,core,,,Unique identifiers of the user. +1.5.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user. +1.5.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. +1.5.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +1.5.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +1.5.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.5.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.5.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.5.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.5.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.5.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.5.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.5.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.5.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.5.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.5.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +1.5.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +1.5.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +1.5.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.5.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.5.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +1.5.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +1.5.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +1.5.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +1.5.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +1.5.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +1.5.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +1.5.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +1.5.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +1.5.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 1fb6cbe035..4f601773f2 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -13,6 +13,7 @@ flat_name: '@timestamp' level: core name: '@timestamp' + normalize: [] order: 0 required: true short: Date/time when the event originated. @@ -27,6 +28,7 @@ agent.ephemeral_id: ignore_above: 1024 level: extended name: ephemeral_id + normalize: [] order: 4 short: Ephemeral identifier of this agent. type: keyword @@ -40,6 +42,7 @@ agent.id: ignore_above: 1024 level: core name: id + normalize: [] order: 3 short: Unique identifier of this agent. type: keyword @@ -57,6 +60,7 @@ agent.name: ignore_above: 1024 level: core name: name + normalize: [] order: 1 short: Custom name of the agent. type: keyword @@ -72,6 +76,7 @@ agent.type: ignore_above: 1024 level: core name: type + normalize: [] order: 2 short: Type of the agent. type: keyword @@ -83,6 +88,7 @@ agent.version: ignore_above: 1024 level: core name: version + normalize: [] order: 0 short: Version of the agent. type: keyword @@ -94,6 +100,7 @@ as.number: flat_name: as.number level: extended name: number + normalize: [] order: 0 original_fieldset: as short: Unique number allocated to the autonomous system. The autonomous system number @@ -112,6 +119,7 @@ as.organization.name: norms: false type: text name: organization.name + normalize: [] order: 1 original_fieldset: as short: Organization name. @@ -128,6 +136,7 @@ client.address: ignore_above: 1024 level: extended name: address + normalize: [] order: 0 short: Client network address. type: keyword @@ -139,6 +148,7 @@ client.as.number: flat_name: client.as.number level: extended name: number + normalize: [] order: 0 original_fieldset: as short: Unique number allocated to the autonomous system. The autonomous system number @@ -157,6 +167,7 @@ client.as.organization.name: norms: false type: text name: organization.name + normalize: [] order: 1 original_fieldset: as short: Organization name. @@ -169,6 +180,7 @@ client.bytes: format: bytes level: core name: bytes + normalize: [] order: 7 short: Bytes sent from the client to the server. type: long @@ -179,6 +191,7 @@ client.domain: ignore_above: 1024 level: core name: domain + normalize: [] order: 4 short: Client domain. type: keyword @@ -190,6 +203,7 @@ client.geo.city_name: ignore_above: 1024 level: core name: city_name + normalize: [] order: 4 original_fieldset: geo short: City name. @@ -202,6 +216,7 @@ client.geo.continent_name: ignore_above: 1024 level: core name: continent_name + normalize: [] order: 1 original_fieldset: geo short: Name of the continent. @@ -214,6 +229,7 @@ client.geo.country_iso_code: ignore_above: 1024 level: core name: country_iso_code + normalize: [] order: 5 original_fieldset: geo short: Country ISO code. @@ -226,6 +242,7 @@ client.geo.country_name: ignore_above: 1024 level: core name: country_name + normalize: [] order: 2 original_fieldset: geo short: Country name. @@ -237,6 +254,7 @@ client.geo.location: flat_name: client.geo.location level: core name: location + normalize: [] order: 0 original_fieldset: geo short: Longitude and latitude. @@ -255,6 +273,7 @@ client.geo.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 7 original_fieldset: geo short: User-defined description of a location. @@ -267,6 +286,7 @@ client.geo.region_iso_code: ignore_above: 1024 level: core name: region_iso_code + normalize: [] order: 6 original_fieldset: geo short: Region ISO code. @@ -279,6 +299,7 @@ client.geo.region_name: ignore_above: 1024 level: core name: region_name + normalize: [] order: 3 original_fieldset: geo short: Region name. @@ -291,6 +312,7 @@ client.ip: flat_name: client.ip level: core name: ip + normalize: [] order: 1 short: IP address of the client. type: ip @@ -301,6 +323,7 @@ client.mac: ignore_above: 1024 level: core name: mac + normalize: [] order: 3 short: MAC address of the client. type: keyword @@ -313,6 +336,7 @@ client.nat.ip: flat_name: client.nat.ip level: extended name: nat.ip + normalize: [] order: 9 short: Client NAT ip address type: ip @@ -326,6 +350,7 @@ client.nat.port: format: string level: extended name: nat.port + normalize: [] order: 10 short: Client NAT port type: long @@ -336,6 +361,7 @@ client.packets: flat_name: client.packets level: core name: packets + normalize: [] order: 8 short: Packets sent from the client to the server. type: long @@ -346,6 +372,7 @@ client.port: format: string level: core name: port + normalize: [] order: 2 short: Port of the client. type: long @@ -363,6 +390,7 @@ client.registered_domain: ignore_above: 1024 level: extended name: registered_domain + normalize: [] order: 5 short: The highest registered client domain, stripped of the subdomain. type: keyword @@ -380,6 +408,7 @@ client.top_level_domain: ignore_above: 1024 level: extended name: top_level_domain + normalize: [] order: 6 short: The effective top level domain (com, org, net, co.uk). type: keyword @@ -392,6 +421,7 @@ client.user.domain: ignore_above: 1024 level: extended name: domain + normalize: [] order: 5 original_fieldset: user short: Name of the directory the user is a member of. @@ -403,6 +433,7 @@ client.user.email: ignore_above: 1024 level: extended name: email + normalize: [] order: 3 original_fieldset: user short: User email address. @@ -420,6 +451,7 @@ client.user.full_name: norms: false type: text name: full_name + normalize: [] order: 2 original_fieldset: user short: User's full name, if available. @@ -433,6 +465,7 @@ client.user.group.domain: ignore_above: 1024 level: extended name: domain + normalize: [] order: 2 original_fieldset: group short: Name of the directory the group is a member of. @@ -444,6 +477,7 @@ client.user.group.id: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 original_fieldset: group short: Unique identifier for the group on the system/platform. @@ -455,6 +489,7 @@ client.user.group.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 original_fieldset: group short: Name of the group. @@ -470,20 +505,22 @@ client.user.hash: ignore_above: 1024 level: extended name: hash + normalize: [] order: 4 original_fieldset: user short: Unique user hash to correlate information for a user in anonymized form. type: keyword client.user.id: dashed_name: client-user-id - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. flat_name: client.user.id ignore_above: 1024 level: core name: id + normalize: [] order: 0 original_fieldset: user - short: One or multiple unique identifiers of the user. + short: Unique identifiers of the user. type: keyword client.user.name: dashed_name: client-user-name @@ -498,6 +535,7 @@ client.user.name: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: user short: Short name or login of the user. @@ -513,6 +551,7 @@ cloud.account.id: ignore_above: 1024 level: extended name: account.id + normalize: [] order: 6 short: The cloud account or organization id. type: keyword @@ -524,6 +563,7 @@ cloud.availability_zone: ignore_above: 1024 level: extended name: availability_zone + normalize: [] order: 1 short: Availability zone in which this host is running. type: keyword @@ -535,6 +575,7 @@ cloud.instance.id: ignore_above: 1024 level: extended name: instance.id + normalize: [] order: 3 short: Instance ID of the host machine. type: keyword @@ -545,6 +586,7 @@ cloud.instance.name: ignore_above: 1024 level: extended name: instance.name + normalize: [] order: 4 short: Instance name of the host machine. type: keyword @@ -556,6 +598,7 @@ cloud.machine.type: ignore_above: 1024 level: extended name: machine.type + normalize: [] order: 5 short: Machine type of the host machine. type: keyword @@ -568,6 +611,7 @@ cloud.provider: ignore_above: 1024 level: extended name: provider + normalize: [] order: 0 short: Name of the cloud provider. type: keyword @@ -579,6 +623,7 @@ cloud.region: ignore_above: 1024 level: extended name: region + normalize: [] order: 2 short: Region in which this host is running. type: keyword @@ -589,6 +634,7 @@ container.id: ignore_above: 1024 level: core name: id + normalize: [] order: 1 short: Unique container id. type: keyword @@ -599,18 +645,21 @@ container.image.name: ignore_above: 1024 level: extended name: image.name + normalize: [] order: 2 short: Name of the image the container was built on. type: keyword container.image.tag: dashed_name: container-image-tag - description: Container image tag. + description: Container image tags. flat_name: container.image.tag ignore_above: 1024 level: extended name: image.tag + normalize: + - array order: 3 - short: Container image tag. + short: Container image tags. type: keyword container.labels: dashed_name: container-labels @@ -618,6 +667,7 @@ container.labels: flat_name: container.labels level: extended name: labels + normalize: [] object_type: keyword order: 5 short: Image labels. @@ -629,6 +679,7 @@ container.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 4 short: Container name. type: keyword @@ -640,6 +691,7 @@ container.runtime: ignore_above: 1024 level: extended name: runtime + normalize: [] order: 0 short: Runtime managing this container. type: keyword @@ -655,6 +707,7 @@ destination.address: ignore_above: 1024 level: extended name: address + normalize: [] order: 0 short: Destination network address. type: keyword @@ -666,6 +719,7 @@ destination.as.number: flat_name: destination.as.number level: extended name: number + normalize: [] order: 0 original_fieldset: as short: Unique number allocated to the autonomous system. The autonomous system number @@ -684,6 +738,7 @@ destination.as.organization.name: norms: false type: text name: organization.name + normalize: [] order: 1 original_fieldset: as short: Organization name. @@ -696,6 +751,7 @@ destination.bytes: format: bytes level: core name: bytes + normalize: [] order: 7 short: Bytes sent from the destination to the source. type: long @@ -706,6 +762,7 @@ destination.domain: ignore_above: 1024 level: core name: domain + normalize: [] order: 4 short: Destination domain. type: keyword @@ -717,6 +774,7 @@ destination.geo.city_name: ignore_above: 1024 level: core name: city_name + normalize: [] order: 4 original_fieldset: geo short: City name. @@ -729,6 +787,7 @@ destination.geo.continent_name: ignore_above: 1024 level: core name: continent_name + normalize: [] order: 1 original_fieldset: geo short: Name of the continent. @@ -741,6 +800,7 @@ destination.geo.country_iso_code: ignore_above: 1024 level: core name: country_iso_code + normalize: [] order: 5 original_fieldset: geo short: Country ISO code. @@ -753,6 +813,7 @@ destination.geo.country_name: ignore_above: 1024 level: core name: country_name + normalize: [] order: 2 original_fieldset: geo short: Country name. @@ -764,6 +825,7 @@ destination.geo.location: flat_name: destination.geo.location level: core name: location + normalize: [] order: 0 original_fieldset: geo short: Longitude and latitude. @@ -782,6 +844,7 @@ destination.geo.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 7 original_fieldset: geo short: User-defined description of a location. @@ -794,6 +857,7 @@ destination.geo.region_iso_code: ignore_above: 1024 level: core name: region_iso_code + normalize: [] order: 6 original_fieldset: geo short: Region ISO code. @@ -806,6 +870,7 @@ destination.geo.region_name: ignore_above: 1024 level: core name: region_name + normalize: [] order: 3 original_fieldset: geo short: Region name. @@ -818,6 +883,7 @@ destination.ip: flat_name: destination.ip level: core name: ip + normalize: [] order: 1 short: IP address of the destination. type: ip @@ -828,6 +894,7 @@ destination.mac: ignore_above: 1024 level: core name: mac + normalize: [] order: 3 short: MAC address of the destination. type: keyword @@ -840,6 +907,7 @@ destination.nat.ip: flat_name: destination.nat.ip level: extended name: nat.ip + normalize: [] order: 9 short: Destination NAT ip type: ip @@ -852,6 +920,7 @@ destination.nat.port: format: string level: extended name: nat.port + normalize: [] order: 10 short: Destination NAT Port type: long @@ -862,6 +931,7 @@ destination.packets: flat_name: destination.packets level: core name: packets + normalize: [] order: 8 short: Packets sent from the destination to the source. type: long @@ -872,6 +942,7 @@ destination.port: format: string level: core name: port + normalize: [] order: 2 short: Port of the destination. type: long @@ -889,6 +960,7 @@ destination.registered_domain: ignore_above: 1024 level: extended name: registered_domain + normalize: [] order: 5 short: The highest registered destination domain, stripped of the subdomain. type: keyword @@ -906,6 +978,7 @@ destination.top_level_domain: ignore_above: 1024 level: extended name: top_level_domain + normalize: [] order: 6 short: The effective top level domain (com, org, net, co.uk). type: keyword @@ -918,6 +991,7 @@ destination.user.domain: ignore_above: 1024 level: extended name: domain + normalize: [] order: 5 original_fieldset: user short: Name of the directory the user is a member of. @@ -929,6 +1003,7 @@ destination.user.email: ignore_above: 1024 level: extended name: email + normalize: [] order: 3 original_fieldset: user short: User email address. @@ -946,6 +1021,7 @@ destination.user.full_name: norms: false type: text name: full_name + normalize: [] order: 2 original_fieldset: user short: User's full name, if available. @@ -959,6 +1035,7 @@ destination.user.group.domain: ignore_above: 1024 level: extended name: domain + normalize: [] order: 2 original_fieldset: group short: Name of the directory the group is a member of. @@ -970,6 +1047,7 @@ destination.user.group.id: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 original_fieldset: group short: Unique identifier for the group on the system/platform. @@ -981,6 +1059,7 @@ destination.user.group.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 original_fieldset: group short: Name of the group. @@ -996,20 +1075,22 @@ destination.user.hash: ignore_above: 1024 level: extended name: hash + normalize: [] order: 4 original_fieldset: user short: Unique user hash to correlate information for a user in anonymized form. type: keyword destination.user.id: dashed_name: destination-user-id - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. flat_name: destination.user.id ignore_above: 1024 level: core name: id + normalize: [] order: 0 original_fieldset: user - short: One or multiple unique identifiers of the user. + short: Unique identifiers of the user. type: keyword destination.user.name: dashed_name: destination-user-name @@ -1024,6 +1105,7 @@ destination.user.name: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: user short: Short name or login of the user. @@ -1043,6 +1125,8 @@ dns.answers: flat_name: dns.answers level: extended name: answers + normalize: + - array object_type: keyword order: 11 short: Array of DNS answers. @@ -1055,6 +1139,7 @@ dns.answers.class: ignore_above: 1024 level: extended name: answers.class + normalize: [] order: 14 short: The class of DNS data contained in this resource record. type: keyword @@ -1068,6 +1153,7 @@ dns.answers.data: ignore_above: 1024 level: extended name: answers.data + normalize: [] order: 16 short: The data describing the resource. type: keyword @@ -1083,6 +1169,7 @@ dns.answers.name: ignore_above: 1024 level: extended name: answers.name + normalize: [] order: 12 short: The domain name to which this resource record pertains. type: keyword @@ -1094,6 +1181,7 @@ dns.answers.ttl: flat_name: dns.answers.ttl level: extended name: answers.ttl + normalize: [] order: 15 short: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. @@ -1106,6 +1194,7 @@ dns.answers.type: ignore_above: 1024 level: extended name: answers.type + normalize: [] order: 13 short: The type of data contained in this resource record. type: keyword @@ -1121,6 +1210,8 @@ dns.header_flags: ignore_above: 1024 level: extended name: header_flags + normalize: + - array order: 3 short: Array of DNS header flags. type: keyword @@ -1133,6 +1224,7 @@ dns.id: ignore_above: 1024 level: extended name: id + normalize: [] order: 1 short: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. @@ -1146,6 +1238,7 @@ dns.op_code: ignore_above: 1024 level: extended name: op_code + normalize: [] order: 2 short: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. @@ -1158,6 +1251,7 @@ dns.question.class: ignore_above: 1024 level: extended name: question.class + normalize: [] order: 7 short: The class of records being queried. type: keyword @@ -1174,6 +1268,7 @@ dns.question.name: ignore_above: 1024 level: extended name: question.name + normalize: [] order: 5 short: The name being queried. type: keyword @@ -1191,6 +1286,7 @@ dns.question.registered_domain: ignore_above: 1024 level: extended name: question.registered_domain + normalize: [] order: 8 short: The highest registered domain, stripped of the subdomain. type: keyword @@ -1205,6 +1301,7 @@ dns.question.subdomain: ignore_above: 1024 level: extended name: question.subdomain + normalize: [] order: 10 short: The subdomain of the domain. type: keyword @@ -1222,6 +1319,7 @@ dns.question.top_level_domain: ignore_above: 1024 level: extended name: question.top_level_domain + normalize: [] order: 9 short: The effective top level domain (com, org, net, co.uk). type: keyword @@ -1233,6 +1331,7 @@ dns.question.type: ignore_above: 1024 level: extended name: question.type + normalize: [] order: 6 short: The type of record being queried. type: keyword @@ -1250,6 +1349,8 @@ dns.resolved_ip: flat_name: dns.resolved_ip level: extended name: resolved_ip + normalize: + - array order: 17 short: Array containing all IPs seen in answers.data type: ip @@ -1261,6 +1362,7 @@ dns.response_code: ignore_above: 1024 level: extended name: response_code + normalize: [] order: 4 short: The DNS response code. type: keyword @@ -1279,6 +1381,7 @@ dns.type: ignore_above: 1024 level: extended name: type + normalize: [] order: 0 short: The type of DNS event captured, query or answer. type: keyword @@ -1295,6 +1398,7 @@ ecs.version: ignore_above: 1024 level: core name: version + normalize: [] order: 0 required: true short: ECS version this event conforms to. @@ -1306,6 +1410,7 @@ error.code: ignore_above: 1024 level: core name: code + normalize: [] order: 2 short: Error code describing the error. type: keyword @@ -1316,6 +1421,7 @@ error.id: ignore_above: 1024 level: core name: id + normalize: [] order: 0 short: Unique identifier for the error. type: keyword @@ -1325,6 +1431,7 @@ error.message: flat_name: error.message level: core name: message + normalize: [] norms: false order: 1 short: Error message. @@ -1343,6 +1450,7 @@ error.stack_trace: norms: false type: text name: stack_trace + normalize: [] order: 4 short: The stack trace of this error in plain text. type: keyword @@ -1354,6 +1462,7 @@ error.type: ignore_above: 1024 level: extended name: type + normalize: [] order: 3 short: The type of the error, for example the class name of the exception. type: keyword @@ -1369,6 +1478,7 @@ event.action: ignore_above: 1024 level: core name: action + normalize: [] order: 4 short: The action captured by the event. type: keyword @@ -1513,6 +1623,8 @@ event.category: ignore_above: 1024 level: core name: category + normalize: + - array order: 3 short: Event category. The second categorization field in the hierarchy. type: keyword @@ -1528,6 +1640,7 @@ event.code: ignore_above: 1024 level: extended name: code + normalize: [] order: 1 short: Identification code for this event. type: keyword @@ -1549,6 +1662,7 @@ event.created: flat_name: event.created level: core name: created + normalize: [] order: 16 short: Time when the event was first read by an agent or by your pipeline. type: date @@ -1566,6 +1680,7 @@ event.dataset: ignore_above: 1024 level: core name: dataset + normalize: [] order: 8 short: Name of the dataset. type: keyword @@ -1580,6 +1695,7 @@ event.duration: input_format: nanoseconds level: core name: duration + normalize: [] order: 13 output_format: asMilliseconds output_precision: 1 @@ -1592,6 +1708,7 @@ event.end: flat_name: event.end level: extended name: end + normalize: [] order: 18 short: event.end contains the date when the event ended or when the activity was last observed. @@ -1605,6 +1722,7 @@ event.hash: ignore_above: 1024 level: extended name: hash + normalize: [] order: 12 short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. @@ -1617,6 +1735,7 @@ event.id: ignore_above: 1024 level: core name: id + normalize: [] order: 0 short: Unique ID to describe the event. type: keyword @@ -1634,6 +1753,7 @@ event.ingested: flat_name: event.ingested level: core name: ingested + normalize: [] order: 21 short: Timestamp when an event arrived in the central data store. type: date @@ -1702,6 +1822,7 @@ event.kind: ignore_above: 1024 level: core name: kind + normalize: [] order: 2 short: The kind of the event. The highest categorization field in the hierarchy. type: keyword @@ -1717,6 +1838,7 @@ event.module: ignore_above: 1024 level: core name: module + normalize: [] order: 7 short: Name of the module this data is coming from. type: keyword @@ -1734,6 +1856,7 @@ event.original: index: false level: core name: original + normalize: [] order: 11 short: Raw text message of entire event. type: keyword @@ -1770,6 +1893,7 @@ event.outcome: ignore_above: 1024 level: core name: outcome + normalize: [] order: 5 short: The outcome of the event. The lowest categorization field in the hierarchy. type: keyword @@ -1785,6 +1909,7 @@ event.provider: ignore_above: 1024 level: extended name: provider + normalize: [] order: 9 short: Source of the event. type: keyword @@ -1795,6 +1920,7 @@ event.risk_score: flat_name: event.risk_score level: core name: risk_score + normalize: [] order: 19 short: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. @@ -1809,6 +1935,7 @@ event.risk_score_norm: flat_name: event.risk_score_norm level: extended name: risk_score_norm + normalize: [] order: 20 short: Normalized risk score or priority of the event (0-100). type: float @@ -1822,6 +1949,7 @@ event.sequence: format: string level: extended name: sequence + normalize: [] order: 14 short: Sequence number of the event. type: long @@ -1842,6 +1970,7 @@ event.severity: format: string level: core name: severity + normalize: [] order: 10 short: Numeric severity of the event. type: long @@ -1852,6 +1981,7 @@ event.start: flat_name: event.start level: extended name: start + normalize: [] order: 17 short: event.start contains the date when the event started or when the activity was first observed. @@ -1868,6 +1998,7 @@ event.timezone: ignore_above: 1024 level: extended name: timezone + normalize: [] order: 15 short: Event time zone. type: keyword @@ -1954,6 +2085,8 @@ event.type: ignore_above: 1024 level: core name: type + normalize: + - array order: 6 short: Event type. The third categorization field in the hierarchy. type: keyword @@ -1965,6 +2098,7 @@ file.accessed: flat_name: file.accessed level: extended name: accessed + normalize: [] order: 19 short: Last time the file was accessed. type: date @@ -1980,6 +2114,8 @@ file.attributes: ignore_above: 1024 level: extended name: attributes + normalize: + - array order: 1 short: Array of file attributes. type: keyword @@ -1991,6 +2127,7 @@ file.created: flat_name: file.created level: extended name: created + normalize: [] order: 18 short: File creation time. type: date @@ -2003,6 +2140,7 @@ file.ctime: flat_name: file.ctime level: extended name: ctime + normalize: [] order: 17 short: Last time the file attributes or metadata changed. type: date @@ -2014,6 +2152,7 @@ file.device: ignore_above: 1024 level: extended name: device + normalize: [] order: 8 short: Device that is the source of the file. type: keyword @@ -2026,6 +2165,7 @@ file.directory: ignore_above: 1024 level: extended name: directory + normalize: [] order: 2 short: Directory where the file is located. type: keyword @@ -2040,6 +2180,7 @@ file.drive_letter: ignore_above: 1 level: extended name: drive_letter + normalize: [] order: 3 short: Drive letter where the file is located. type: keyword @@ -2051,6 +2192,7 @@ file.extension: ignore_above: 1024 level: extended name: extension + normalize: [] order: 6 short: File extension. type: keyword @@ -2062,6 +2204,7 @@ file.gid: ignore_above: 1024 level: extended name: gid + normalize: [] order: 12 short: Primary group ID (GID) of the file. type: keyword @@ -2073,6 +2216,7 @@ file.group: ignore_above: 1024 level: extended name: group + normalize: [] order: 13 short: Primary group name of the file. type: keyword @@ -2083,6 +2227,7 @@ file.hash.md5: ignore_above: 1024 level: extended name: md5 + normalize: [] order: 0 original_fieldset: hash short: MD5 hash. @@ -2094,6 +2239,7 @@ file.hash.sha1: ignore_above: 1024 level: extended name: sha1 + normalize: [] order: 1 original_fieldset: hash short: SHA1 hash. @@ -2105,6 +2251,7 @@ file.hash.sha256: ignore_above: 1024 level: extended name: sha256 + normalize: [] order: 2 original_fieldset: hash short: SHA256 hash. @@ -2116,6 +2263,7 @@ file.hash.sha512: ignore_above: 1024 level: extended name: sha512 + normalize: [] order: 3 original_fieldset: hash short: SHA512 hash. @@ -2128,6 +2276,7 @@ file.inode: ignore_above: 1024 level: extended name: inode + normalize: [] order: 9 short: Inode representing the file in the filesystem. type: keyword @@ -2139,6 +2288,7 @@ file.mode: ignore_above: 1024 level: extended name: mode + normalize: [] order: 14 short: Mode of the file in octal representation. type: keyword @@ -2148,6 +2298,7 @@ file.mtime: flat_name: file.mtime level: extended name: mtime + normalize: [] order: 16 short: Last time the file content was modified. type: date @@ -2159,6 +2310,7 @@ file.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 0 short: Name of the file including the extension, without the directory. type: keyword @@ -2170,6 +2322,7 @@ file.owner: ignore_above: 1024 level: extended name: owner + normalize: [] order: 11 short: File owner's username. type: keyword @@ -2187,6 +2340,7 @@ file.path: norms: false type: text name: path + normalize: [] order: 4 short: Full path to the file, including the file name. type: keyword @@ -2199,6 +2353,7 @@ file.size: flat_name: file.size level: extended name: size + normalize: [] order: 15 short: File size in bytes. type: long @@ -2214,6 +2369,7 @@ file.target_path: norms: false type: text name: target_path + normalize: [] order: 5 short: Target path for symlinks. type: keyword @@ -2225,6 +2381,7 @@ file.type: ignore_above: 1024 level: extended name: type + normalize: [] order: 7 short: File type (file, dir, or symlink). type: keyword @@ -2236,6 +2393,7 @@ file.uid: ignore_above: 1024 level: extended name: uid + normalize: [] order: 10 short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword @@ -2247,6 +2405,7 @@ geo.city_name: ignore_above: 1024 level: core name: city_name + normalize: [] order: 4 original_fieldset: geo short: City name. @@ -2259,6 +2418,7 @@ geo.continent_name: ignore_above: 1024 level: core name: continent_name + normalize: [] order: 1 original_fieldset: geo short: Name of the continent. @@ -2271,6 +2431,7 @@ geo.country_iso_code: ignore_above: 1024 level: core name: country_iso_code + normalize: [] order: 5 original_fieldset: geo short: Country ISO code. @@ -2283,6 +2444,7 @@ geo.country_name: ignore_above: 1024 level: core name: country_name + normalize: [] order: 2 original_fieldset: geo short: Country name. @@ -2294,6 +2456,7 @@ geo.location: flat_name: geo.location level: core name: location + normalize: [] order: 0 original_fieldset: geo short: Longitude and latitude. @@ -2312,6 +2475,7 @@ geo.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 7 original_fieldset: geo short: User-defined description of a location. @@ -2324,6 +2488,7 @@ geo.region_iso_code: ignore_above: 1024 level: core name: region_iso_code + normalize: [] order: 6 original_fieldset: geo short: Region ISO code. @@ -2336,6 +2501,7 @@ geo.region_name: ignore_above: 1024 level: core name: region_name + normalize: [] order: 3 original_fieldset: geo short: Region name. @@ -2349,6 +2515,7 @@ group.domain: ignore_above: 1024 level: extended name: domain + normalize: [] order: 2 original_fieldset: group short: Name of the directory the group is a member of. @@ -2360,6 +2527,7 @@ group.id: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 original_fieldset: group short: Unique identifier for the group on the system/platform. @@ -2371,6 +2539,7 @@ group.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 original_fieldset: group short: Name of the group. @@ -2382,6 +2551,7 @@ hash.md5: ignore_above: 1024 level: extended name: md5 + normalize: [] order: 0 original_fieldset: hash short: MD5 hash. @@ -2393,6 +2563,7 @@ hash.sha1: ignore_above: 1024 level: extended name: sha1 + normalize: [] order: 1 original_fieldset: hash short: SHA1 hash. @@ -2404,6 +2575,7 @@ hash.sha256: ignore_above: 1024 level: extended name: sha256 + normalize: [] order: 2 original_fieldset: hash short: SHA256 hash. @@ -2415,6 +2587,7 @@ hash.sha512: ignore_above: 1024 level: extended name: sha512 + normalize: [] order: 3 original_fieldset: hash short: SHA512 hash. @@ -2427,6 +2600,7 @@ host.architecture: ignore_above: 1024 level: core name: architecture + normalize: [] order: 7 short: Operating system architecture. type: keyword @@ -2441,6 +2615,7 @@ host.domain: ignore_above: 1024 level: extended name: domain + normalize: [] order: 8 short: Name of the directory the group is a member of. type: keyword @@ -2452,6 +2627,7 @@ host.geo.city_name: ignore_above: 1024 level: core name: city_name + normalize: [] order: 4 original_fieldset: geo short: City name. @@ -2464,6 +2640,7 @@ host.geo.continent_name: ignore_above: 1024 level: core name: continent_name + normalize: [] order: 1 original_fieldset: geo short: Name of the continent. @@ -2476,6 +2653,7 @@ host.geo.country_iso_code: ignore_above: 1024 level: core name: country_iso_code + normalize: [] order: 5 original_fieldset: geo short: Country ISO code. @@ -2488,6 +2666,7 @@ host.geo.country_name: ignore_above: 1024 level: core name: country_name + normalize: [] order: 2 original_fieldset: geo short: Country name. @@ -2499,6 +2678,7 @@ host.geo.location: flat_name: host.geo.location level: core name: location + normalize: [] order: 0 original_fieldset: geo short: Longitude and latitude. @@ -2517,6 +2697,7 @@ host.geo.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 7 original_fieldset: geo short: User-defined description of a location. @@ -2529,6 +2710,7 @@ host.geo.region_iso_code: ignore_above: 1024 level: core name: region_iso_code + normalize: [] order: 6 original_fieldset: geo short: Region ISO code. @@ -2541,6 +2723,7 @@ host.geo.region_name: ignore_above: 1024 level: core name: region_name + normalize: [] order: 3 original_fieldset: geo short: Region name. @@ -2554,6 +2737,7 @@ host.hostname: ignore_above: 1024 level: core name: hostname + normalize: [] order: 0 short: Hostname of the host. type: keyword @@ -2568,27 +2752,32 @@ host.id: ignore_above: 1024 level: core name: id + normalize: [] order: 2 short: Unique host id. type: keyword host.ip: dashed_name: host-ip - description: Host ip address. + description: Host ip addresses. flat_name: host.ip level: core name: ip + normalize: + - array order: 3 - short: Host ip address. + short: Host ip addresses. type: ip host.mac: dashed_name: host-mac - description: Host mac address. + description: Host mac addresses. flat_name: host.mac ignore_above: 1024 level: core name: mac + normalize: + - array order: 4 - short: Host mac address. + short: Host mac addresses. type: keyword host.name: dashed_name: host-name @@ -2600,6 +2789,7 @@ host.name: ignore_above: 1024 level: core name: name + normalize: [] order: 1 short: Name of the host. type: keyword @@ -2611,6 +2801,7 @@ host.os.family: ignore_above: 1024 level: extended name: family + normalize: [] order: 3 original_fieldset: os short: OS family (such as redhat, debian, freebsd, windows). @@ -2628,6 +2819,7 @@ host.os.full: norms: false type: text name: full + normalize: [] order: 2 original_fieldset: os short: Operating system name, including the version or code name. @@ -2640,6 +2832,7 @@ host.os.kernel: ignore_above: 1024 level: extended name: kernel + normalize: [] order: 5 original_fieldset: os short: Operating system kernel version as a raw string. @@ -2657,6 +2850,7 @@ host.os.name: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: os short: Operating system name, without the version. @@ -2669,6 +2863,7 @@ host.os.platform: ignore_above: 1024 level: extended name: platform + normalize: [] order: 0 original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). @@ -2681,6 +2876,7 @@ host.os.version: ignore_above: 1024 level: extended name: version + normalize: [] order: 4 original_fieldset: os short: Operating system version as a raw string. @@ -2695,6 +2891,7 @@ host.type: ignore_above: 1024 level: core name: type + normalize: [] order: 5 short: Type of host. type: keyword @@ -2705,6 +2902,7 @@ host.uptime: flat_name: host.uptime level: extended name: uptime + normalize: [] order: 6 short: Seconds the host has been up. type: long @@ -2717,6 +2915,7 @@ host.user.domain: ignore_above: 1024 level: extended name: domain + normalize: [] order: 5 original_fieldset: user short: Name of the directory the user is a member of. @@ -2728,6 +2927,7 @@ host.user.email: ignore_above: 1024 level: extended name: email + normalize: [] order: 3 original_fieldset: user short: User email address. @@ -2745,6 +2945,7 @@ host.user.full_name: norms: false type: text name: full_name + normalize: [] order: 2 original_fieldset: user short: User's full name, if available. @@ -2758,6 +2959,7 @@ host.user.group.domain: ignore_above: 1024 level: extended name: domain + normalize: [] order: 2 original_fieldset: group short: Name of the directory the group is a member of. @@ -2769,6 +2971,7 @@ host.user.group.id: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 original_fieldset: group short: Unique identifier for the group on the system/platform. @@ -2780,6 +2983,7 @@ host.user.group.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 original_fieldset: group short: Name of the group. @@ -2795,20 +2999,22 @@ host.user.hash: ignore_above: 1024 level: extended name: hash + normalize: [] order: 4 original_fieldset: user short: Unique user hash to correlate information for a user in anonymized form. type: keyword host.user.id: dashed_name: host-user-id - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. flat_name: host.user.id ignore_above: 1024 level: core name: id + normalize: [] order: 0 original_fieldset: user - short: One or multiple unique identifiers of the user. + short: Unique identifiers of the user. type: keyword host.user.name: dashed_name: host-user-name @@ -2823,6 +3029,7 @@ host.user.name: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: user short: Short name or login of the user. @@ -2835,6 +3042,7 @@ http.request.body.bytes: format: bytes level: extended name: request.body.bytes + normalize: [] order: 7 short: Size in bytes of the request body. type: long @@ -2851,6 +3059,7 @@ http.request.body.content: norms: false type: text name: request.body.content + normalize: [] order: 1 short: The full HTTP request body. type: keyword @@ -2862,6 +3071,7 @@ http.request.bytes: format: bytes level: extended name: request.bytes + normalize: [] order: 6 short: Total size in bytes of the request (body and headers). type: long @@ -2876,6 +3086,7 @@ http.request.method: ignore_above: 1024 level: extended name: request.method + normalize: [] order: 0 short: HTTP request method. type: keyword @@ -2887,6 +3098,7 @@ http.request.referrer: ignore_above: 1024 level: extended name: request.referrer + normalize: [] order: 2 short: Referrer for this HTTP request. type: keyword @@ -2898,6 +3110,7 @@ http.response.body.bytes: format: bytes level: extended name: response.body.bytes + normalize: [] order: 9 short: Size in bytes of the response body. type: long @@ -2914,6 +3127,7 @@ http.response.body.content: norms: false type: text name: response.body.content + normalize: [] order: 4 short: The full HTTP response body. type: keyword @@ -2925,6 +3139,7 @@ http.response.bytes: format: bytes level: extended name: response.bytes + normalize: [] order: 8 short: Total size in bytes of the response (body and headers). type: long @@ -2936,6 +3151,7 @@ http.response.status_code: format: string level: extended name: response.status_code + normalize: [] order: 3 short: HTTP response status code. type: long @@ -2947,6 +3163,7 @@ http.version: ignore_above: 1024 level: extended name: version + normalize: [] order: 5 short: HTTP version. type: keyword @@ -2964,6 +3181,7 @@ labels: flat_name: labels level: core name: labels + normalize: [] object_type: keyword order: 2 short: Custom key/value pairs. @@ -2982,6 +3200,7 @@ log.level: ignore_above: 1024 level: core name: level + normalize: [] order: 0 short: Log level of the log event. type: keyword @@ -2994,6 +3213,7 @@ log.logger: ignore_above: 1024 level: core name: logger + normalize: [] order: 2 short: Name of the logger. type: keyword @@ -3005,6 +3225,7 @@ log.origin.file.line: flat_name: log.origin.file.line level: extended name: origin.file.line + normalize: [] order: 4 short: The line number of the file which originated the log event. type: integer @@ -3017,6 +3238,7 @@ log.origin.file.name: ignore_above: 1024 level: extended name: origin.file.name + normalize: [] order: 3 short: The file which originated the log event. type: keyword @@ -3028,6 +3250,7 @@ log.origin.function: ignore_above: 1024 level: extended name: origin.function + normalize: [] order: 5 short: The function which originated the log event. type: keyword @@ -3050,6 +3273,7 @@ log.original: index: false level: core name: original + normalize: [] order: 1 short: Original log message with light interpretation only (encoding, newlines). type: keyword @@ -3060,6 +3284,7 @@ log.syslog: flat_name: log.syslog level: extended name: syslog + normalize: [] object_type: keyword order: 6 short: Syslog metadata @@ -3075,6 +3300,7 @@ log.syslog.facility.code: format: string level: extended name: syslog.facility.code + normalize: [] order: 9 short: Syslog numeric facility of the event. type: long @@ -3086,6 +3312,7 @@ log.syslog.facility.name: ignore_above: 1024 level: extended name: syslog.facility.name + normalize: [] order: 10 short: Syslog text-based facility of the event. type: keyword @@ -3100,6 +3327,7 @@ log.syslog.priority: format: string level: extended name: syslog.priority + normalize: [] order: 11 short: Syslog priority of the event. type: long @@ -3115,6 +3343,7 @@ log.syslog.severity.code: flat_name: log.syslog.severity.code level: extended name: syslog.severity.code + normalize: [] order: 7 short: Syslog numeric severity of the event. type: long @@ -3131,6 +3360,7 @@ log.syslog.severity.name: ignore_above: 1024 level: extended name: syslog.severity.name + normalize: [] order: 8 short: Syslog text-based severity of the event. type: keyword @@ -3147,6 +3377,7 @@ message: flat_name: message level: core name: message + normalize: [] norms: false order: 3 short: Log message optimized for viewing in a log viewer. @@ -3165,6 +3396,7 @@ network.application: ignore_above: 1024 level: extended name: application + normalize: [] order: 4 short: Application level protocol name. type: keyword @@ -3179,6 +3411,7 @@ network.bytes: format: bytes level: core name: bytes + normalize: [] order: 9 short: Total bytes transferred in both directions. type: long @@ -3193,6 +3426,7 @@ network.community_id: ignore_above: 1024 level: extended name: community_id + normalize: [] order: 8 short: A hash of source and destination IPs and ports. type: keyword @@ -3208,6 +3442,7 @@ network.direction: ignore_above: 1024 level: core name: direction + normalize: [] order: 6 short: Direction of the network traffic. type: keyword @@ -3218,6 +3453,7 @@ network.forwarded_ip: flat_name: network.forwarded_ip level: core name: forwarded_ip + normalize: [] order: 7 short: Host IP address when the source IP address is the proxy. type: ip @@ -3231,6 +3467,7 @@ network.iana_number: ignore_above: 1024 level: extended name: iana_number + normalize: [] order: 2 short: IANA Protocol Number. type: keyword @@ -3242,6 +3479,7 @@ network.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 0 short: Name given by operators to sections of their network. type: keyword @@ -3255,6 +3493,7 @@ network.packets: flat_name: network.packets level: core name: packets + normalize: [] order: 10 short: Total packets transferred in both directions. type: long @@ -3269,6 +3508,7 @@ network.protocol: ignore_above: 1024 level: core name: protocol + normalize: [] order: 5 short: L7 Network protocol name. type: keyword @@ -3284,6 +3524,7 @@ network.transport: ignore_above: 1024 level: core name: transport + normalize: [] order: 3 short: Protocol Name corresponding to the field `iana_number`. type: keyword @@ -3299,6 +3540,7 @@ network.type: ignore_above: 1024 level: core name: type + normalize: [] order: 1 short: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc @@ -3311,6 +3553,7 @@ observer.geo.city_name: ignore_above: 1024 level: core name: city_name + normalize: [] order: 4 original_fieldset: geo short: City name. @@ -3323,6 +3566,7 @@ observer.geo.continent_name: ignore_above: 1024 level: core name: continent_name + normalize: [] order: 1 original_fieldset: geo short: Name of the continent. @@ -3335,6 +3579,7 @@ observer.geo.country_iso_code: ignore_above: 1024 level: core name: country_iso_code + normalize: [] order: 5 original_fieldset: geo short: Country ISO code. @@ -3347,6 +3592,7 @@ observer.geo.country_name: ignore_above: 1024 level: core name: country_name + normalize: [] order: 2 original_fieldset: geo short: Country name. @@ -3358,6 +3604,7 @@ observer.geo.location: flat_name: observer.geo.location level: core name: location + normalize: [] order: 0 original_fieldset: geo short: Longitude and latitude. @@ -3376,6 +3623,7 @@ observer.geo.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 7 original_fieldset: geo short: User-defined description of a location. @@ -3388,6 +3636,7 @@ observer.geo.region_iso_code: ignore_above: 1024 level: core name: region_iso_code + normalize: [] order: 6 original_fieldset: geo short: Region ISO code. @@ -3400,6 +3649,7 @@ observer.geo.region_name: ignore_above: 1024 level: core name: region_name + normalize: [] order: 3 original_fieldset: geo short: Region name. @@ -3411,27 +3661,32 @@ observer.hostname: ignore_above: 1024 level: core name: hostname + normalize: [] order: 2 short: Hostname of the observer. type: keyword observer.ip: dashed_name: observer-ip - description: IP address of the observer. + description: IP addresses of the observer. flat_name: observer.ip level: core name: ip + normalize: + - array order: 1 - short: IP address of the observer. + short: IP addresses of the observer. type: ip observer.mac: dashed_name: observer-mac - description: MAC address of the observer + description: MAC addresses of the observer flat_name: observer.mac ignore_above: 1024 level: core name: mac + normalize: + - array order: 0 - short: MAC address of the observer + short: MAC addresses of the observer type: keyword observer.name: dashed_name: observer-name @@ -3446,6 +3701,7 @@ observer.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 3 short: Custom name of the observer. type: keyword @@ -3457,6 +3713,7 @@ observer.os.family: ignore_above: 1024 level: extended name: family + normalize: [] order: 3 original_fieldset: os short: OS family (such as redhat, debian, freebsd, windows). @@ -3474,6 +3731,7 @@ observer.os.full: norms: false type: text name: full + normalize: [] order: 2 original_fieldset: os short: Operating system name, including the version or code name. @@ -3486,6 +3744,7 @@ observer.os.kernel: ignore_above: 1024 level: extended name: kernel + normalize: [] order: 5 original_fieldset: os short: Operating system kernel version as a raw string. @@ -3503,6 +3762,7 @@ observer.os.name: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: os short: Operating system name, without the version. @@ -3515,6 +3775,7 @@ observer.os.platform: ignore_above: 1024 level: extended name: platform + normalize: [] order: 0 original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). @@ -3527,6 +3788,7 @@ observer.os.version: ignore_above: 1024 level: extended name: version + normalize: [] order: 4 original_fieldset: os short: Operating system version as a raw string. @@ -3539,6 +3801,7 @@ observer.product: ignore_above: 1024 level: extended name: product + normalize: [] order: 4 short: The product name of the observer. type: keyword @@ -3549,6 +3812,7 @@ observer.serial_number: ignore_above: 1024 level: extended name: serial_number + normalize: [] order: 7 short: Observer serial number. type: keyword @@ -3563,6 +3827,7 @@ observer.type: ignore_above: 1024 level: core name: type + normalize: [] order: 8 short: The type of the observer the data is coming from. type: keyword @@ -3574,6 +3839,7 @@ observer.vendor: ignore_above: 1024 level: core name: vendor + normalize: [] order: 5 short: Vendor name of the observer. type: keyword @@ -3584,6 +3850,7 @@ observer.version: ignore_above: 1024 level: core name: version + normalize: [] order: 6 short: Observer version. type: keyword @@ -3594,6 +3861,7 @@ organization.id: ignore_above: 1024 level: extended name: id + normalize: [] order: 1 short: Unique identifier for the organization. type: keyword @@ -3609,6 +3877,7 @@ organization.name: norms: false type: text name: name + normalize: [] order: 0 short: Organization name. type: keyword @@ -3620,6 +3889,7 @@ os.family: ignore_above: 1024 level: extended name: family + normalize: [] order: 3 original_fieldset: os short: OS family (such as redhat, debian, freebsd, windows). @@ -3637,6 +3907,7 @@ os.full: norms: false type: text name: full + normalize: [] order: 2 original_fieldset: os short: Operating system name, including the version or code name. @@ -3649,6 +3920,7 @@ os.kernel: ignore_above: 1024 level: extended name: kernel + normalize: [] order: 5 original_fieldset: os short: Operating system kernel version as a raw string. @@ -3666,6 +3938,7 @@ os.name: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: os short: Operating system name, without the version. @@ -3678,6 +3951,7 @@ os.platform: ignore_above: 1024 level: extended name: platform + normalize: [] order: 0 original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). @@ -3690,6 +3964,7 @@ os.version: ignore_above: 1024 level: extended name: version + normalize: [] order: 4 original_fieldset: os short: Operating system version as a raw string. @@ -3702,6 +3977,7 @@ package.architecture: ignore_above: 1024 level: extended name: architecture + normalize: [] order: 7 short: Package architecture. type: keyword @@ -3715,6 +3991,7 @@ package.build_version: ignore_above: 1024 level: extended name: build_version + normalize: [] order: 2 short: Build version information type: keyword @@ -3726,6 +4003,7 @@ package.checksum: ignore_above: 1024 level: extended name: checksum + normalize: [] order: 8 short: Checksum of the installed package for verification. type: keyword @@ -3737,6 +4015,7 @@ package.description: ignore_above: 1024 level: extended name: description + normalize: [] order: 3 short: Description of the package. type: keyword @@ -3748,6 +4027,7 @@ package.install_scope: ignore_above: 1024 level: extended name: install_scope + normalize: [] order: 9 short: Indicating how the package was installed, e.g. user-local, global. type: keyword @@ -3757,6 +4037,7 @@ package.installed: flat_name: package.installed level: extended name: installed + normalize: [] order: 5 short: Time when package was installed. type: date @@ -3771,6 +4052,7 @@ package.license: ignore_above: 1024 level: extended name: license + normalize: [] order: 10 short: Package license type: keyword @@ -3782,6 +4064,7 @@ package.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 0 short: Package name type: keyword @@ -3793,6 +4076,7 @@ package.path: ignore_above: 1024 level: extended name: path + normalize: [] order: 6 short: Path where the package is installed. type: keyword @@ -3804,6 +4088,7 @@ package.reference: ignore_above: 1024 level: extended name: reference + normalize: [] order: 11 short: Package home page or reference URL type: keyword @@ -3815,6 +4100,7 @@ package.size: format: string level: extended name: size + normalize: [] order: 4 short: Package size in bytes. type: long @@ -3829,6 +4115,7 @@ package.type: ignore_above: 1024 level: extended name: type + normalize: [] order: 12 short: Package type type: keyword @@ -3840,6 +4127,7 @@ package.version: ignore_above: 1024 level: extended name: version + normalize: [] order: 1 short: Package version type: keyword @@ -3858,6 +4146,8 @@ process.args: ignore_above: 1024 level: extended name: args + normalize: + - array order: 10 short: Array of process arguments. type: keyword @@ -3872,6 +4162,7 @@ process.args_count: flat_name: process.args_count level: extended name: args_count + normalize: [] order: 12 short: Length of the process.args array. type: long @@ -3891,6 +4182,7 @@ process.command_line: norms: false type: text name: command_line + normalize: [] order: 8 short: Full command line that started the process. type: keyword @@ -3907,6 +4199,7 @@ process.executable: norms: false type: text name: executable + normalize: [] order: 14 short: Absolute path to the process executable. type: keyword @@ -3920,6 +4213,7 @@ process.exit_code: flat_name: process.exit_code level: extended name: exit_code + normalize: [] order: 28 short: The exit code of the process. type: long @@ -3930,6 +4224,7 @@ process.hash.md5: ignore_above: 1024 level: extended name: md5 + normalize: [] order: 0 original_fieldset: hash short: MD5 hash. @@ -3941,6 +4236,7 @@ process.hash.sha1: ignore_above: 1024 level: extended name: sha1 + normalize: [] order: 1 original_fieldset: hash short: SHA1 hash. @@ -3952,6 +4248,7 @@ process.hash.sha256: ignore_above: 1024 level: extended name: sha256 + normalize: [] order: 2 original_fieldset: hash short: SHA256 hash. @@ -3963,6 +4260,7 @@ process.hash.sha512: ignore_above: 1024 level: extended name: sha512 + normalize: [] order: 3 original_fieldset: hash short: SHA512 hash. @@ -3982,6 +4280,7 @@ process.name: norms: false type: text name: name + normalize: [] order: 2 short: Process name. type: keyword @@ -3999,6 +4298,8 @@ process.parent.args: ignore_above: 1024 level: extended name: parent.args + normalize: + - array order: 11 short: Array of process arguments. type: keyword @@ -4013,6 +4314,7 @@ process.parent.args_count: flat_name: process.parent.args_count level: extended name: parent.args_count + normalize: [] order: 13 short: Length of the process.args array. type: long @@ -4032,6 +4334,7 @@ process.parent.command_line: norms: false type: text name: parent.command_line + normalize: [] order: 9 short: Full command line that started the process. type: keyword @@ -4048,6 +4351,7 @@ process.parent.executable: norms: false type: text name: parent.executable + normalize: [] order: 15 short: Absolute path to the process executable. type: keyword @@ -4061,6 +4365,7 @@ process.parent.exit_code: flat_name: process.parent.exit_code level: extended name: parent.exit_code + normalize: [] order: 29 short: The exit code of the process. type: long @@ -4071,6 +4376,7 @@ process.parent.hash.md5: ignore_above: 1024 level: extended name: md5 + normalize: [] order: 0 original_fieldset: hash short: MD5 hash. @@ -4082,6 +4388,7 @@ process.parent.hash.sha1: ignore_above: 1024 level: extended name: sha1 + normalize: [] order: 1 original_fieldset: hash short: SHA1 hash. @@ -4093,6 +4400,7 @@ process.parent.hash.sha256: ignore_above: 1024 level: extended name: sha256 + normalize: [] order: 2 original_fieldset: hash short: SHA256 hash. @@ -4104,6 +4412,7 @@ process.parent.hash.sha512: ignore_above: 1024 level: extended name: sha512 + normalize: [] order: 3 original_fieldset: hash short: SHA512 hash. @@ -4123,6 +4432,7 @@ process.parent.name: norms: false type: text name: parent.name + normalize: [] order: 3 short: Process name. type: keyword @@ -4133,6 +4443,7 @@ process.parent.pgid: format: string level: extended name: parent.pgid + normalize: [] order: 7 short: Identifier of the group of processes the process belongs to. type: long @@ -4144,6 +4455,7 @@ process.parent.pid: format: string level: core name: parent.pid + normalize: [] order: 1 short: Process id. type: long @@ -4155,6 +4467,7 @@ process.parent.ppid: format: string level: extended name: parent.ppid + normalize: [] order: 5 short: Parent process' pid. type: long @@ -4165,6 +4478,7 @@ process.parent.start: flat_name: process.parent.start level: extended name: parent.start + normalize: [] order: 23 short: The time the process started. type: date @@ -4176,6 +4490,7 @@ process.parent.thread.id: format: string level: extended name: parent.thread.id + normalize: [] order: 19 short: Thread ID. type: long @@ -4187,6 +4502,7 @@ process.parent.thread.name: ignore_above: 1024 level: extended name: parent.thread.name + normalize: [] order: 21 short: Thread name. type: keyword @@ -4205,6 +4521,7 @@ process.parent.title: norms: false type: text name: parent.title + normalize: [] order: 17 short: Process title. type: keyword @@ -4215,6 +4532,7 @@ process.parent.uptime: flat_name: process.parent.uptime level: extended name: parent.uptime + normalize: [] order: 25 short: Seconds the process has been up. type: long @@ -4231,6 +4549,7 @@ process.parent.working_directory: norms: false type: text name: parent.working_directory + normalize: [] order: 27 short: The working directory of the process. type: keyword @@ -4241,6 +4560,7 @@ process.pgid: format: string level: extended name: pgid + normalize: [] order: 6 short: Identifier of the group of processes the process belongs to. type: long @@ -4252,6 +4572,7 @@ process.pid: format: string level: core name: pid + normalize: [] order: 0 short: Process id. type: long @@ -4263,6 +4584,7 @@ process.ppid: format: string level: extended name: ppid + normalize: [] order: 4 short: Parent process' pid. type: long @@ -4273,6 +4595,7 @@ process.start: flat_name: process.start level: extended name: start + normalize: [] order: 22 short: The time the process started. type: date @@ -4284,6 +4607,7 @@ process.thread.id: format: string level: extended name: thread.id + normalize: [] order: 18 short: Thread ID. type: long @@ -4295,6 +4619,7 @@ process.thread.name: ignore_above: 1024 level: extended name: thread.name + normalize: [] order: 20 short: Thread name. type: keyword @@ -4313,6 +4638,7 @@ process.title: norms: false type: text name: title + normalize: [] order: 16 short: Process title. type: keyword @@ -4323,6 +4649,7 @@ process.uptime: flat_name: process.uptime level: extended name: uptime + normalize: [] order: 24 short: Seconds the process has been up. type: long @@ -4339,6 +4666,7 @@ process.working_directory: norms: false type: text name: working_directory + normalize: [] order: 26 short: The working directory of the process. type: keyword @@ -4354,6 +4682,7 @@ registry.data.bytes: ignore_above: 1024 level: extended name: data.bytes + normalize: [] order: 6 short: Original bytes written with base64 encoding. type: keyword @@ -4371,6 +4700,7 @@ registry.data.strings: ignore_above: 1024 level: core name: data.strings + normalize: [] order: 5 short: List of strings representing what was written to the registry. type: keyword @@ -4382,6 +4712,7 @@ registry.data.type: ignore_above: 1024 level: core name: data.type + normalize: [] order: 4 short: Standard registry type for encoding contents type: keyword @@ -4393,6 +4724,7 @@ registry.hive: ignore_above: 1024 level: core name: hive + normalize: [] order: 0 short: Abbreviated name for the hive. type: keyword @@ -4404,6 +4736,7 @@ registry.key: ignore_above: 1024 level: core name: key + normalize: [] order: 1 short: Hive-relative path of keys. type: keyword @@ -4416,6 +4749,7 @@ registry.path: ignore_above: 1024 level: core name: path + normalize: [] order: 3 short: Full path, including hive, key and value type: keyword @@ -4427,6 +4761,7 @@ registry.value: ignore_above: 1024 level: core name: value + normalize: [] order: 2 short: Name of the value written. type: keyword @@ -4439,6 +4774,8 @@ related.hash: ignore_above: 1024 level: extended name: hash + normalize: + - array order: 2 short: All the hashes seen on your event. type: keyword @@ -4448,6 +4785,8 @@ related.ip: flat_name: related.ip level: extended name: ip + normalize: + - array order: 0 short: All of the IPs seen on your event. type: ip @@ -4458,6 +4797,8 @@ related.user: ignore_above: 1024 level: extended name: user + normalize: + - array order: 1 short: All the user names seen on your event. type: keyword @@ -4470,6 +4811,7 @@ rule.category: ignore_above: 1024 level: extended name: category + normalize: [] order: 5 short: Rule category type: keyword @@ -4481,6 +4823,7 @@ rule.description: ignore_above: 1024 level: extended name: description + normalize: [] order: 4 short: Rule description type: keyword @@ -4493,6 +4836,7 @@ rule.id: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 short: Rule ID type: keyword @@ -4504,6 +4848,7 @@ rule.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 3 short: Rule name type: keyword @@ -4520,6 +4865,7 @@ rule.reference: ignore_above: 1024 level: extended name: reference + normalize: [] order: 7 short: Rule reference URL type: keyword @@ -4532,6 +4878,7 @@ rule.ruleset: ignore_above: 1024 level: extended name: ruleset + normalize: [] order: 6 short: Rule ruleset type: keyword @@ -4544,6 +4891,7 @@ rule.uuid: ignore_above: 1024 level: extended name: uuid + normalize: [] order: 1 short: Rule UUID type: keyword @@ -4555,6 +4903,7 @@ rule.version: ignore_above: 1024 level: extended name: version + normalize: [] order: 2 short: Rule version type: keyword @@ -4570,6 +4919,7 @@ server.address: ignore_above: 1024 level: extended name: address + normalize: [] order: 0 short: Server network address. type: keyword @@ -4581,6 +4931,7 @@ server.as.number: flat_name: server.as.number level: extended name: number + normalize: [] order: 0 original_fieldset: as short: Unique number allocated to the autonomous system. The autonomous system number @@ -4599,6 +4950,7 @@ server.as.organization.name: norms: false type: text name: organization.name + normalize: [] order: 1 original_fieldset: as short: Organization name. @@ -4611,6 +4963,7 @@ server.bytes: format: bytes level: core name: bytes + normalize: [] order: 7 short: Bytes sent from the server to the client. type: long @@ -4621,6 +4974,7 @@ server.domain: ignore_above: 1024 level: core name: domain + normalize: [] order: 4 short: Server domain. type: keyword @@ -4632,6 +4986,7 @@ server.geo.city_name: ignore_above: 1024 level: core name: city_name + normalize: [] order: 4 original_fieldset: geo short: City name. @@ -4644,6 +4999,7 @@ server.geo.continent_name: ignore_above: 1024 level: core name: continent_name + normalize: [] order: 1 original_fieldset: geo short: Name of the continent. @@ -4656,6 +5012,7 @@ server.geo.country_iso_code: ignore_above: 1024 level: core name: country_iso_code + normalize: [] order: 5 original_fieldset: geo short: Country ISO code. @@ -4668,6 +5025,7 @@ server.geo.country_name: ignore_above: 1024 level: core name: country_name + normalize: [] order: 2 original_fieldset: geo short: Country name. @@ -4679,6 +5037,7 @@ server.geo.location: flat_name: server.geo.location level: core name: location + normalize: [] order: 0 original_fieldset: geo short: Longitude and latitude. @@ -4697,6 +5056,7 @@ server.geo.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 7 original_fieldset: geo short: User-defined description of a location. @@ -4709,6 +5069,7 @@ server.geo.region_iso_code: ignore_above: 1024 level: core name: region_iso_code + normalize: [] order: 6 original_fieldset: geo short: Region ISO code. @@ -4721,6 +5082,7 @@ server.geo.region_name: ignore_above: 1024 level: core name: region_name + normalize: [] order: 3 original_fieldset: geo short: Region name. @@ -4733,6 +5095,7 @@ server.ip: flat_name: server.ip level: core name: ip + normalize: [] order: 1 short: IP address of the server. type: ip @@ -4743,6 +5106,7 @@ server.mac: ignore_above: 1024 level: core name: mac + normalize: [] order: 3 short: MAC address of the server. type: keyword @@ -4755,6 +5119,7 @@ server.nat.ip: flat_name: server.nat.ip level: extended name: nat.ip + normalize: [] order: 9 short: Server NAT ip type: ip @@ -4768,6 +5133,7 @@ server.nat.port: format: string level: extended name: nat.port + normalize: [] order: 10 short: Server NAT port type: long @@ -4778,6 +5144,7 @@ server.packets: flat_name: server.packets level: core name: packets + normalize: [] order: 8 short: Packets sent from the server to the client. type: long @@ -4788,6 +5155,7 @@ server.port: format: string level: core name: port + normalize: [] order: 2 short: Port of the server. type: long @@ -4805,6 +5173,7 @@ server.registered_domain: ignore_above: 1024 level: extended name: registered_domain + normalize: [] order: 5 short: The highest registered server domain, stripped of the subdomain. type: keyword @@ -4822,6 +5191,7 @@ server.top_level_domain: ignore_above: 1024 level: extended name: top_level_domain + normalize: [] order: 6 short: The effective top level domain (com, org, net, co.uk). type: keyword @@ -4834,6 +5204,7 @@ server.user.domain: ignore_above: 1024 level: extended name: domain + normalize: [] order: 5 original_fieldset: user short: Name of the directory the user is a member of. @@ -4845,6 +5216,7 @@ server.user.email: ignore_above: 1024 level: extended name: email + normalize: [] order: 3 original_fieldset: user short: User email address. @@ -4862,6 +5234,7 @@ server.user.full_name: norms: false type: text name: full_name + normalize: [] order: 2 original_fieldset: user short: User's full name, if available. @@ -4875,6 +5248,7 @@ server.user.group.domain: ignore_above: 1024 level: extended name: domain + normalize: [] order: 2 original_fieldset: group short: Name of the directory the group is a member of. @@ -4886,6 +5260,7 @@ server.user.group.id: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 original_fieldset: group short: Unique identifier for the group on the system/platform. @@ -4897,6 +5272,7 @@ server.user.group.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 original_fieldset: group short: Name of the group. @@ -4912,20 +5288,22 @@ server.user.hash: ignore_above: 1024 level: extended name: hash + normalize: [] order: 4 original_fieldset: user short: Unique user hash to correlate information for a user in anonymized form. type: keyword server.user.id: dashed_name: server-user-id - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. flat_name: server.user.id ignore_above: 1024 level: core name: id + normalize: [] order: 0 original_fieldset: user - short: One or multiple unique identifiers of the user. + short: Unique identifiers of the user. type: keyword server.user.name: dashed_name: server-user-name @@ -4940,6 +5318,7 @@ server.user.name: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: user short: Short name or login of the user. @@ -4954,6 +5333,7 @@ service.ephemeral_id: ignore_above: 1024 level: extended name: ephemeral_id + normalize: [] order: 6 short: Ephemeral identifier of this service. type: keyword @@ -4973,6 +5353,7 @@ service.id: ignore_above: 1024 level: core name: id + normalize: [] order: 0 short: Unique identifier of the running service. type: keyword @@ -4991,6 +5372,7 @@ service.name: ignore_above: 1024 level: core name: name + normalize: [] order: 1 short: Name of the service. type: keyword @@ -5013,6 +5395,7 @@ service.node.name: ignore_above: 1024 level: extended name: node.name + normalize: [] order: 2 short: Name of the service node. type: keyword @@ -5023,6 +5406,7 @@ service.state: ignore_above: 1024 level: core name: state + normalize: [] order: 4 short: Current state of the service. type: keyword @@ -5040,6 +5424,7 @@ service.type: ignore_above: 1024 level: core name: type + normalize: [] order: 3 short: The type of the service. type: keyword @@ -5053,6 +5438,7 @@ service.version: ignore_above: 1024 level: core name: version + normalize: [] order: 5 short: Version of the service. type: keyword @@ -5068,6 +5454,7 @@ source.address: ignore_above: 1024 level: extended name: address + normalize: [] order: 0 short: Source network address. type: keyword @@ -5079,6 +5466,7 @@ source.as.number: flat_name: source.as.number level: extended name: number + normalize: [] order: 0 original_fieldset: as short: Unique number allocated to the autonomous system. The autonomous system number @@ -5097,6 +5485,7 @@ source.as.organization.name: norms: false type: text name: organization.name + normalize: [] order: 1 original_fieldset: as short: Organization name. @@ -5109,6 +5498,7 @@ source.bytes: format: bytes level: core name: bytes + normalize: [] order: 7 short: Bytes sent from the source to the destination. type: long @@ -5119,6 +5509,7 @@ source.domain: ignore_above: 1024 level: core name: domain + normalize: [] order: 4 short: Source domain. type: keyword @@ -5130,6 +5521,7 @@ source.geo.city_name: ignore_above: 1024 level: core name: city_name + normalize: [] order: 4 original_fieldset: geo short: City name. @@ -5142,6 +5534,7 @@ source.geo.continent_name: ignore_above: 1024 level: core name: continent_name + normalize: [] order: 1 original_fieldset: geo short: Name of the continent. @@ -5154,6 +5547,7 @@ source.geo.country_iso_code: ignore_above: 1024 level: core name: country_iso_code + normalize: [] order: 5 original_fieldset: geo short: Country ISO code. @@ -5166,6 +5560,7 @@ source.geo.country_name: ignore_above: 1024 level: core name: country_name + normalize: [] order: 2 original_fieldset: geo short: Country name. @@ -5177,6 +5572,7 @@ source.geo.location: flat_name: source.geo.location level: core name: location + normalize: [] order: 0 original_fieldset: geo short: Longitude and latitude. @@ -5195,6 +5591,7 @@ source.geo.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 7 original_fieldset: geo short: User-defined description of a location. @@ -5207,6 +5604,7 @@ source.geo.region_iso_code: ignore_above: 1024 level: core name: region_iso_code + normalize: [] order: 6 original_fieldset: geo short: Region ISO code. @@ -5219,6 +5617,7 @@ source.geo.region_name: ignore_above: 1024 level: core name: region_name + normalize: [] order: 3 original_fieldset: geo short: Region name. @@ -5231,6 +5630,7 @@ source.ip: flat_name: source.ip level: core name: ip + normalize: [] order: 1 short: IP address of the source. type: ip @@ -5241,6 +5641,7 @@ source.mac: ignore_above: 1024 level: core name: mac + normalize: [] order: 3 short: MAC address of the source. type: keyword @@ -5253,6 +5654,7 @@ source.nat.ip: flat_name: source.nat.ip level: extended name: nat.ip + normalize: [] order: 9 short: Source NAT ip type: ip @@ -5266,6 +5668,7 @@ source.nat.port: format: string level: extended name: nat.port + normalize: [] order: 10 short: Source NAT port type: long @@ -5276,6 +5679,7 @@ source.packets: flat_name: source.packets level: core name: packets + normalize: [] order: 8 short: Packets sent from the source to the destination. type: long @@ -5286,6 +5690,7 @@ source.port: format: string level: core name: port + normalize: [] order: 2 short: Port of the source. type: long @@ -5303,6 +5708,7 @@ source.registered_domain: ignore_above: 1024 level: extended name: registered_domain + normalize: [] order: 5 short: The highest registered source domain, stripped of the subdomain. type: keyword @@ -5320,6 +5726,7 @@ source.top_level_domain: ignore_above: 1024 level: extended name: top_level_domain + normalize: [] order: 6 short: The effective top level domain (com, org, net, co.uk). type: keyword @@ -5332,6 +5739,7 @@ source.user.domain: ignore_above: 1024 level: extended name: domain + normalize: [] order: 5 original_fieldset: user short: Name of the directory the user is a member of. @@ -5343,6 +5751,7 @@ source.user.email: ignore_above: 1024 level: extended name: email + normalize: [] order: 3 original_fieldset: user short: User email address. @@ -5360,6 +5769,7 @@ source.user.full_name: norms: false type: text name: full_name + normalize: [] order: 2 original_fieldset: user short: User's full name, if available. @@ -5373,6 +5783,7 @@ source.user.group.domain: ignore_above: 1024 level: extended name: domain + normalize: [] order: 2 original_fieldset: group short: Name of the directory the group is a member of. @@ -5384,6 +5795,7 @@ source.user.group.id: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 original_fieldset: group short: Unique identifier for the group on the system/platform. @@ -5395,6 +5807,7 @@ source.user.group.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 original_fieldset: group short: Name of the group. @@ -5410,20 +5823,22 @@ source.user.hash: ignore_above: 1024 level: extended name: hash + normalize: [] order: 4 original_fieldset: user short: Unique user hash to correlate information for a user in anonymized form. type: keyword source.user.id: dashed_name: source-user-id - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. flat_name: source.user.id ignore_above: 1024 level: core name: id + normalize: [] order: 0 original_fieldset: user - short: One or multiple unique identifiers of the user. + short: Unique identifiers of the user. type: keyword source.user.name: dashed_name: source-user-name @@ -5438,6 +5853,7 @@ source.user.name: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: user short: Short name or login of the user. @@ -5450,6 +5866,8 @@ tags: ignore_above: 1024 level: core name: tags + normalize: + - array order: 1 short: List of keywords used to tag each event. type: keyword @@ -5464,6 +5882,7 @@ threat.framework: ignore_above: 1024 level: extended name: framework + normalize: [] order: 0 short: Threat classification framework. type: keyword @@ -5477,6 +5896,8 @@ threat.tactic.id: ignore_above: 1024 level: extended name: tactic.id + normalize: + - array order: 2 short: Threat tactic id. type: keyword @@ -5490,6 +5911,8 @@ threat.tactic.name: ignore_above: 1024 level: extended name: tactic.name + normalize: + - array order: 1 short: Threat tactic. type: keyword @@ -5503,6 +5926,8 @@ threat.tactic.reference: ignore_above: 1024 level: extended name: tactic.reference + normalize: + - array order: 3 short: Threat tactic url reference. type: keyword @@ -5516,6 +5941,8 @@ threat.technique.id: ignore_above: 1024 level: extended name: technique.id + normalize: + - array order: 5 short: Threat technique id. type: keyword @@ -5534,6 +5961,8 @@ threat.technique.name: norms: false type: text name: technique.name + normalize: + - array order: 4 short: Threat technique name. type: keyword @@ -5547,6 +5976,8 @@ threat.technique.reference: ignore_above: 1024 level: extended name: technique.reference + normalize: + - array order: 6 short: Threat technique reference. type: keyword @@ -5558,6 +5989,7 @@ tls.cipher: ignore_above: 1024 level: extended name: cipher + normalize: [] order: 2 short: String indicating the cipher used during the current connection. type: keyword @@ -5571,6 +6003,7 @@ tls.client.certificate: ignore_above: 1024 level: extended name: client.certificate + normalize: [] order: 15 short: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists @@ -5588,6 +6021,8 @@ tls.client.certificate_chain: ignore_above: 1024 level: extended name: client.certificate_chain + normalize: + - array order: 14 short: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since @@ -5603,6 +6038,7 @@ tls.client.hash.md5: ignore_above: 1024 level: extended name: client.hash.md5 + normalize: [] order: 16 short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should @@ -5618,6 +6054,7 @@ tls.client.hash.sha1: ignore_above: 1024 level: extended name: client.hash.sha1 + normalize: [] order: 17 short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should @@ -5633,6 +6070,7 @@ tls.client.hash.sha256: ignore_above: 1024 level: extended name: client.hash.sha256 + normalize: [] order: 18 short: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this @@ -5647,6 +6085,7 @@ tls.client.issuer: ignore_above: 1024 level: extended name: client.issuer + normalize: [] order: 11 short: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. @@ -5660,6 +6099,7 @@ tls.client.ja3: ignore_above: 1024 level: extended name: client.ja3 + normalize: [] order: 7 short: A hash that identifies clients based on how they perform an SSL/TLS handshake. type: keyword @@ -5671,6 +6111,7 @@ tls.client.not_after: flat_name: tls.client.not_after level: extended name: client.not_after + normalize: [] order: 13 short: Date/Time indicating when client certificate is no longer considered valid. type: date @@ -5681,6 +6122,7 @@ tls.client.not_before: flat_name: tls.client.not_before level: extended name: client.not_before + normalize: [] order: 12 short: Date/Time indicating when client certificate is first considered valid. type: date @@ -5694,6 +6136,7 @@ tls.client.server_name: ignore_above: 1024 level: extended name: client.server_name + normalize: [] order: 8 short: Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to @@ -5708,6 +6151,7 @@ tls.client.subject: ignore_above: 1024 level: extended name: client.subject + normalize: [] order: 10 short: Distinguished name of subject of the x.509 certificate presented by the client. type: keyword @@ -5722,6 +6166,8 @@ tls.client.supported_ciphers: ignore_above: 1024 level: extended name: client.supported_ciphers + normalize: + - array order: 9 short: Array of ciphers offered by the client during the client hello. type: keyword @@ -5733,6 +6179,7 @@ tls.curve: ignore_above: 1024 level: extended name: curve + normalize: [] order: 3 short: String indicating the curve used for the given cipher, when applicable. type: keyword @@ -5743,6 +6190,7 @@ tls.established: flat_name: tls.established level: extended name: established + normalize: [] order: 5 short: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. @@ -5757,6 +6205,7 @@ tls.next_protocol: ignore_above: 1024 level: extended name: next_protocol + normalize: [] order: 6 short: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), @@ -5769,6 +6218,7 @@ tls.resumed: flat_name: tls.resumed level: extended name: resumed + normalize: [] order: 4 short: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. @@ -5783,6 +6233,7 @@ tls.server.certificate: ignore_above: 1024 level: extended name: server.certificate + normalize: [] order: 25 short: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists @@ -5800,6 +6251,8 @@ tls.server.certificate_chain: ignore_above: 1024 level: extended name: server.certificate_chain + normalize: + - array order: 24 short: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since @@ -5815,6 +6268,7 @@ tls.server.hash.md5: ignore_above: 1024 level: extended name: server.hash.md5 + normalize: [] order: 26 short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should @@ -5830,6 +6284,7 @@ tls.server.hash.sha1: ignore_above: 1024 level: extended name: server.hash.sha1 + normalize: [] order: 27 short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should @@ -5845,6 +6300,7 @@ tls.server.hash.sha256: ignore_above: 1024 level: extended name: server.hash.sha256 + normalize: [] order: 28 short: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this @@ -5858,6 +6314,7 @@ tls.server.issuer: ignore_above: 1024 level: extended name: server.issuer + normalize: [] order: 21 short: Subject of the issuer of the x.509 certificate presented by the server. type: keyword @@ -5870,6 +6327,7 @@ tls.server.ja3s: ignore_above: 1024 level: extended name: server.ja3s + normalize: [] order: 19 short: A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword @@ -5881,6 +6339,7 @@ tls.server.not_after: flat_name: tls.server.not_after level: extended name: server.not_after + normalize: [] order: 23 short: Timestamp indicating when server certificate is no longer considered valid. type: date @@ -5891,6 +6350,7 @@ tls.server.not_before: flat_name: tls.server.not_before level: extended name: server.not_before + normalize: [] order: 22 short: Timestamp indicating when server certificate is first considered valid. type: date @@ -5902,6 +6362,7 @@ tls.server.subject: ignore_above: 1024 level: extended name: server.subject + normalize: [] order: 20 short: Subject of the x.509 certificate presented by the server. type: keyword @@ -5913,6 +6374,7 @@ tls.version: ignore_above: 1024 level: extended name: version + normalize: [] order: 0 short: Numeric part of the version parsed from the original string. type: keyword @@ -5924,6 +6386,7 @@ tls.version_protocol: ignore_above: 1024 level: extended name: version_protocol + normalize: [] order: 1 short: Normalized lowercase protocol name parsed from original string. type: keyword @@ -5938,6 +6401,7 @@ trace.id: ignore_above: 1024 level: extended name: trace.id + normalize: [] order: 0 short: Unique identifier of the trace. type: keyword @@ -5952,6 +6416,7 @@ transaction.id: ignore_above: 1024 level: extended name: transaction.id + normalize: [] order: 1 short: Unique identifier of the transaction. type: keyword @@ -5966,6 +6431,7 @@ url.domain: ignore_above: 1024 level: extended name: domain + normalize: [] order: 3 short: Domain of the url. type: keyword @@ -5982,6 +6448,7 @@ url.extension: ignore_above: 1024 level: extended name: extension + normalize: [] order: 9 short: File extension from the original request url. type: keyword @@ -5994,6 +6461,7 @@ url.fragment: ignore_above: 1024 level: extended name: fragment + normalize: [] order: 10 short: Portion of the url after the `#`. type: keyword @@ -6011,6 +6479,7 @@ url.full: norms: false type: text name: full + normalize: [] order: 1 short: Full unparsed URL. type: keyword @@ -6032,6 +6501,7 @@ url.original: norms: false type: text name: original + normalize: [] order: 0 short: Unmodified original url as seen in the event source. type: keyword @@ -6042,6 +6512,7 @@ url.password: ignore_above: 1024 level: extended name: password + normalize: [] order: 12 short: Password of the request. type: keyword @@ -6052,6 +6523,7 @@ url.path: ignore_above: 1024 level: extended name: path + normalize: [] order: 7 short: Path of the request, such as "/search". type: keyword @@ -6063,6 +6535,7 @@ url.port: format: string level: extended name: port + normalize: [] order: 6 short: Port of the request, such as 443. type: long @@ -6079,6 +6552,7 @@ url.query: ignore_above: 1024 level: extended name: query + normalize: [] order: 8 short: Query string of the request. type: keyword @@ -6096,6 +6570,7 @@ url.registered_domain: ignore_above: 1024 level: extended name: registered_domain + normalize: [] order: 4 short: The highest registered url domain, stripped of the subdomain. type: keyword @@ -6109,6 +6584,7 @@ url.scheme: ignore_above: 1024 level: extended name: scheme + normalize: [] order: 2 short: Scheme of the url. type: keyword @@ -6126,6 +6602,7 @@ url.top_level_domain: ignore_above: 1024 level: extended name: top_level_domain + normalize: [] order: 5 short: The effective top level domain (com, org, net, co.uk). type: keyword @@ -6136,6 +6613,7 @@ url.username: ignore_above: 1024 level: extended name: username + normalize: [] order: 11 short: Username of the request. type: keyword @@ -6148,6 +6626,7 @@ user.domain: ignore_above: 1024 level: extended name: domain + normalize: [] order: 5 original_fieldset: user short: Name of the directory the user is a member of. @@ -6159,6 +6638,7 @@ user.email: ignore_above: 1024 level: extended name: email + normalize: [] order: 3 original_fieldset: user short: User email address. @@ -6176,6 +6656,7 @@ user.full_name: norms: false type: text name: full_name + normalize: [] order: 2 original_fieldset: user short: User's full name, if available. @@ -6189,6 +6670,7 @@ user.group.domain: ignore_above: 1024 level: extended name: domain + normalize: [] order: 2 original_fieldset: group short: Name of the directory the group is a member of. @@ -6200,6 +6682,7 @@ user.group.id: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 original_fieldset: group short: Unique identifier for the group on the system/platform. @@ -6211,6 +6694,7 @@ user.group.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 original_fieldset: group short: Name of the group. @@ -6226,20 +6710,22 @@ user.hash: ignore_above: 1024 level: extended name: hash + normalize: [] order: 4 original_fieldset: user short: Unique user hash to correlate information for a user in anonymized form. type: keyword user.id: dashed_name: user-id - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. flat_name: user.id ignore_above: 1024 level: core name: id + normalize: [] order: 0 original_fieldset: user - short: One or multiple unique identifiers of the user. + short: Unique identifiers of the user. type: keyword user.name: dashed_name: user-name @@ -6254,6 +6740,7 @@ user.name: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: user short: Short name or login of the user. @@ -6266,6 +6753,7 @@ user_agent.device.name: ignore_above: 1024 level: extended name: device.name + normalize: [] order: 3 short: Name of the device. type: keyword @@ -6277,6 +6765,7 @@ user_agent.name: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 short: Name of the user agent. type: keyword @@ -6294,6 +6783,7 @@ user_agent.original: norms: false type: text name: original + normalize: [] order: 0 short: Unparsed user_agent string. type: keyword @@ -6305,6 +6795,7 @@ user_agent.os.family: ignore_above: 1024 level: extended name: family + normalize: [] order: 3 original_fieldset: os short: OS family (such as redhat, debian, freebsd, windows). @@ -6322,6 +6813,7 @@ user_agent.os.full: norms: false type: text name: full + normalize: [] order: 2 original_fieldset: os short: Operating system name, including the version or code name. @@ -6334,6 +6826,7 @@ user_agent.os.kernel: ignore_above: 1024 level: extended name: kernel + normalize: [] order: 5 original_fieldset: os short: Operating system kernel version as a raw string. @@ -6351,6 +6844,7 @@ user_agent.os.name: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: os short: Operating system name, without the version. @@ -6363,6 +6857,7 @@ user_agent.os.platform: ignore_above: 1024 level: extended name: platform + normalize: [] order: 0 original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). @@ -6375,6 +6870,7 @@ user_agent.os.version: ignore_above: 1024 level: extended name: version + normalize: [] order: 4 original_fieldset: os short: Operating system version as a raw string. @@ -6387,6 +6883,7 @@ user_agent.version: ignore_above: 1024 level: extended name: version + normalize: [] order: 2 short: Version of the user agent. type: keyword @@ -6403,6 +6900,8 @@ vulnerability.category: ignore_above: 1024 level: extended name: category + normalize: + - array order: 7 short: Category of a vulnerability. type: keyword @@ -6415,6 +6914,7 @@ vulnerability.classification: ignore_above: 1024 level: extended name: classification + normalize: [] order: 0 short: Classification of the vulnerability. type: keyword @@ -6433,6 +6933,7 @@ vulnerability.description: norms: false type: text name: description + normalize: [] order: 8 short: Description of the vulnerability. type: keyword @@ -6444,6 +6945,7 @@ vulnerability.enumeration: ignore_above: 1024 level: extended name: enumeration + normalize: [] order: 1 short: Identifier of the vulnerability. type: keyword @@ -6458,6 +6960,7 @@ vulnerability.id: ignore_above: 1024 level: extended name: id + normalize: [] order: 9 short: ID of the vulnerability. type: keyword @@ -6470,6 +6973,7 @@ vulnerability.reference: ignore_above: 1024 level: extended name: reference + normalize: [] order: 2 short: Reference of the vulnerability. type: keyword @@ -6481,6 +6985,7 @@ vulnerability.report_id: ignore_above: 1024 level: extended name: report_id + normalize: [] order: 12 short: Scan identification number. type: keyword @@ -6492,6 +6997,7 @@ vulnerability.scanner.vendor: ignore_above: 1024 level: extended name: scanner.vendor + normalize: [] order: 10 short: Name of the scanner vendor. type: keyword @@ -6506,6 +7012,7 @@ vulnerability.score.base: flat_name: vulnerability.score.base level: extended name: score.base + normalize: [] order: 3 short: Vulnerability Base score. type: float @@ -6519,6 +7026,7 @@ vulnerability.score.environmental: flat_name: vulnerability.score.environmental level: extended name: score.environmental + normalize: [] order: 5 short: Vulnerability Environmental score. type: float @@ -6531,6 +7039,7 @@ vulnerability.score.temporal: flat_name: vulnerability.score.temporal level: extended name: score.temporal + normalize: [] order: 4 short: Vulnerability Temporal score. type: float @@ -6548,6 +7057,7 @@ vulnerability.score.version: ignore_above: 1024 level: extended name: score.version + normalize: [] order: 6 short: CVSS version. type: keyword @@ -6560,6 +7070,7 @@ vulnerability.severity: ignore_above: 1024 level: extended name: severity + normalize: [] order: 11 short: Severity of the vulnerability. type: keyword diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index edfa26a4eb..6bba4737c8 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -17,6 +17,7 @@ agent: ignore_above: 1024 level: extended name: ephemeral_id + normalize: [] order: 4 short: Ephemeral identifier of this agent. type: keyword @@ -30,6 +31,7 @@ agent: ignore_above: 1024 level: core name: id + normalize: [] order: 3 short: Unique identifier of this agent. type: keyword @@ -47,6 +49,7 @@ agent: ignore_above: 1024 level: core name: name + normalize: [] order: 1 short: Custom name of the agent. type: keyword @@ -62,6 +65,7 @@ agent: ignore_above: 1024 level: core name: type + normalize: [] order: 2 short: Type of the agent. type: keyword @@ -73,6 +77,7 @@ agent: ignore_above: 1024 level: core name: version + normalize: [] order: 0 short: Version of the agent. type: keyword @@ -100,6 +105,7 @@ as: flat_name: as.number level: extended name: number + normalize: [] order: 0 short: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. @@ -117,6 +123,7 @@ as: norms: false type: text name: organization.name + normalize: [] order: 1 short: Organization name. type: keyword @@ -152,6 +159,7 @@ base: flat_name: '@timestamp' level: core name: '@timestamp' + normalize: [] order: 0 required: true short: Date/time when the event originated. @@ -170,6 +178,7 @@ base: flat_name: labels level: core name: labels + normalize: [] object_type: keyword order: 2 short: Custom key/value pairs. @@ -187,6 +196,7 @@ base: flat_name: message level: core name: message + normalize: [] norms: false order: 3 short: Log message optimized for viewing in a log viewer. @@ -199,6 +209,8 @@ base: ignore_above: 1024 level: core name: tags + normalize: + - array order: 1 short: List of keywords used to tag each event. type: keyword @@ -238,6 +250,7 @@ client: ignore_above: 1024 level: extended name: address + normalize: [] order: 0 short: Client network address. type: keyword @@ -249,6 +262,7 @@ client: flat_name: client.as.number level: extended name: number + normalize: [] order: 0 original_fieldset: as short: Unique number allocated to the autonomous system. The autonomous system @@ -267,6 +281,7 @@ client: norms: false type: text name: organization.name + normalize: [] order: 1 original_fieldset: as short: Organization name. @@ -279,6 +294,7 @@ client: format: bytes level: core name: bytes + normalize: [] order: 7 short: Bytes sent from the client to the server. type: long @@ -289,6 +305,7 @@ client: ignore_above: 1024 level: core name: domain + normalize: [] order: 4 short: Client domain. type: keyword @@ -300,6 +317,7 @@ client: ignore_above: 1024 level: core name: city_name + normalize: [] order: 4 original_fieldset: geo short: City name. @@ -312,6 +330,7 @@ client: ignore_above: 1024 level: core name: continent_name + normalize: [] order: 1 original_fieldset: geo short: Name of the continent. @@ -324,6 +343,7 @@ client: ignore_above: 1024 level: core name: country_iso_code + normalize: [] order: 5 original_fieldset: geo short: Country ISO code. @@ -336,6 +356,7 @@ client: ignore_above: 1024 level: core name: country_name + normalize: [] order: 2 original_fieldset: geo short: Country name. @@ -347,6 +368,7 @@ client: flat_name: client.geo.location level: core name: location + normalize: [] order: 0 original_fieldset: geo short: Longitude and latitude. @@ -365,6 +387,7 @@ client: ignore_above: 1024 level: extended name: name + normalize: [] order: 7 original_fieldset: geo short: User-defined description of a location. @@ -377,6 +400,7 @@ client: ignore_above: 1024 level: core name: region_iso_code + normalize: [] order: 6 original_fieldset: geo short: Region ISO code. @@ -389,6 +413,7 @@ client: ignore_above: 1024 level: core name: region_name + normalize: [] order: 3 original_fieldset: geo short: Region name. @@ -401,6 +426,7 @@ client: flat_name: client.ip level: core name: ip + normalize: [] order: 1 short: IP address of the client. type: ip @@ -411,6 +437,7 @@ client: ignore_above: 1024 level: core name: mac + normalize: [] order: 3 short: MAC address of the client. type: keyword @@ -423,6 +450,7 @@ client: flat_name: client.nat.ip level: extended name: nat.ip + normalize: [] order: 9 short: Client NAT ip address type: ip @@ -436,6 +464,7 @@ client: format: string level: extended name: nat.port + normalize: [] order: 10 short: Client NAT port type: long @@ -446,6 +475,7 @@ client: flat_name: client.packets level: core name: packets + normalize: [] order: 8 short: Packets sent from the client to the server. type: long @@ -456,6 +486,7 @@ client: format: string level: core name: port + normalize: [] order: 2 short: Port of the client. type: long @@ -473,6 +504,7 @@ client: ignore_above: 1024 level: extended name: registered_domain + normalize: [] order: 5 short: The highest registered client domain, stripped of the subdomain. type: keyword @@ -490,6 +522,7 @@ client: ignore_above: 1024 level: extended name: top_level_domain + normalize: [] order: 6 short: The effective top level domain (com, org, net, co.uk). type: keyword @@ -502,6 +535,7 @@ client: ignore_above: 1024 level: extended name: domain + normalize: [] order: 5 original_fieldset: user short: Name of the directory the user is a member of. @@ -513,6 +547,7 @@ client: ignore_above: 1024 level: extended name: email + normalize: [] order: 3 original_fieldset: user short: User email address. @@ -530,6 +565,7 @@ client: norms: false type: text name: full_name + normalize: [] order: 2 original_fieldset: user short: User's full name, if available. @@ -543,6 +579,7 @@ client: ignore_above: 1024 level: extended name: domain + normalize: [] order: 2 original_fieldset: group short: Name of the directory the group is a member of. @@ -554,6 +591,7 @@ client: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 original_fieldset: group short: Unique identifier for the group on the system/platform. @@ -565,6 +603,7 @@ client: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 original_fieldset: group short: Name of the group. @@ -580,20 +619,22 @@ client: ignore_above: 1024 level: extended name: hash + normalize: [] order: 4 original_fieldset: user short: Unique user hash to correlate information for a user in anonymized form. type: keyword user.id: dashed_name: client-user-id - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. flat_name: client.user.id ignore_above: 1024 level: core name: id + normalize: [] order: 0 original_fieldset: user - short: One or multiple unique identifiers of the user. + short: Unique identifiers of the user. type: keyword user.name: dashed_name: client-user-name @@ -608,6 +649,7 @@ client: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: user short: Short name or login of the user. @@ -637,6 +679,7 @@ cloud: ignore_above: 1024 level: extended name: account.id + normalize: [] order: 6 short: The cloud account or organization id. type: keyword @@ -648,6 +691,7 @@ cloud: ignore_above: 1024 level: extended name: availability_zone + normalize: [] order: 1 short: Availability zone in which this host is running. type: keyword @@ -659,6 +703,7 @@ cloud: ignore_above: 1024 level: extended name: instance.id + normalize: [] order: 3 short: Instance ID of the host machine. type: keyword @@ -669,6 +714,7 @@ cloud: ignore_above: 1024 level: extended name: instance.name + normalize: [] order: 4 short: Instance name of the host machine. type: keyword @@ -680,6 +726,7 @@ cloud: ignore_above: 1024 level: extended name: machine.type + normalize: [] order: 5 short: Machine type of the host machine. type: keyword @@ -692,6 +739,7 @@ cloud: ignore_above: 1024 level: extended name: provider + normalize: [] order: 0 short: Name of the cloud provider. type: keyword @@ -703,6 +751,7 @@ cloud: ignore_above: 1024 level: extended name: region + normalize: [] order: 2 short: Region in which this host is running. type: keyword @@ -730,6 +779,7 @@ container: ignore_above: 1024 level: core name: id + normalize: [] order: 1 short: Unique container id. type: keyword @@ -740,18 +790,21 @@ container: ignore_above: 1024 level: extended name: image.name + normalize: [] order: 2 short: Name of the image the container was built on. type: keyword image.tag: dashed_name: container-image-tag - description: Container image tag. + description: Container image tags. flat_name: container.image.tag ignore_above: 1024 level: extended name: image.tag + normalize: + - array order: 3 - short: Container image tag. + short: Container image tags. type: keyword labels: dashed_name: container-labels @@ -759,6 +812,7 @@ container: flat_name: container.labels level: extended name: labels + normalize: [] object_type: keyword order: 5 short: Image labels. @@ -770,6 +824,7 @@ container: ignore_above: 1024 level: extended name: name + normalize: [] order: 4 short: Container name. type: keyword @@ -781,6 +836,7 @@ container: ignore_above: 1024 level: extended name: runtime + normalize: [] order: 0 short: Runtime managing this container. type: keyword @@ -807,6 +863,7 @@ destination: ignore_above: 1024 level: extended name: address + normalize: [] order: 0 short: Destination network address. type: keyword @@ -818,6 +875,7 @@ destination: flat_name: destination.as.number level: extended name: number + normalize: [] order: 0 original_fieldset: as short: Unique number allocated to the autonomous system. The autonomous system @@ -836,6 +894,7 @@ destination: norms: false type: text name: organization.name + normalize: [] order: 1 original_fieldset: as short: Organization name. @@ -848,6 +907,7 @@ destination: format: bytes level: core name: bytes + normalize: [] order: 7 short: Bytes sent from the destination to the source. type: long @@ -858,6 +918,7 @@ destination: ignore_above: 1024 level: core name: domain + normalize: [] order: 4 short: Destination domain. type: keyword @@ -869,6 +930,7 @@ destination: ignore_above: 1024 level: core name: city_name + normalize: [] order: 4 original_fieldset: geo short: City name. @@ -881,6 +943,7 @@ destination: ignore_above: 1024 level: core name: continent_name + normalize: [] order: 1 original_fieldset: geo short: Name of the continent. @@ -893,6 +956,7 @@ destination: ignore_above: 1024 level: core name: country_iso_code + normalize: [] order: 5 original_fieldset: geo short: Country ISO code. @@ -905,6 +969,7 @@ destination: ignore_above: 1024 level: core name: country_name + normalize: [] order: 2 original_fieldset: geo short: Country name. @@ -916,6 +981,7 @@ destination: flat_name: destination.geo.location level: core name: location + normalize: [] order: 0 original_fieldset: geo short: Longitude and latitude. @@ -934,6 +1000,7 @@ destination: ignore_above: 1024 level: extended name: name + normalize: [] order: 7 original_fieldset: geo short: User-defined description of a location. @@ -946,6 +1013,7 @@ destination: ignore_above: 1024 level: core name: region_iso_code + normalize: [] order: 6 original_fieldset: geo short: Region ISO code. @@ -958,6 +1026,7 @@ destination: ignore_above: 1024 level: core name: region_name + normalize: [] order: 3 original_fieldset: geo short: Region name. @@ -970,6 +1039,7 @@ destination: flat_name: destination.ip level: core name: ip + normalize: [] order: 1 short: IP address of the destination. type: ip @@ -980,6 +1050,7 @@ destination: ignore_above: 1024 level: core name: mac + normalize: [] order: 3 short: MAC address of the destination. type: keyword @@ -992,6 +1063,7 @@ destination: flat_name: destination.nat.ip level: extended name: nat.ip + normalize: [] order: 9 short: Destination NAT ip type: ip @@ -1004,6 +1076,7 @@ destination: format: string level: extended name: nat.port + normalize: [] order: 10 short: Destination NAT Port type: long @@ -1014,6 +1087,7 @@ destination: flat_name: destination.packets level: core name: packets + normalize: [] order: 8 short: Packets sent from the destination to the source. type: long @@ -1024,6 +1098,7 @@ destination: format: string level: core name: port + normalize: [] order: 2 short: Port of the destination. type: long @@ -1041,6 +1116,7 @@ destination: ignore_above: 1024 level: extended name: registered_domain + normalize: [] order: 5 short: The highest registered destination domain, stripped of the subdomain. type: keyword @@ -1058,6 +1134,7 @@ destination: ignore_above: 1024 level: extended name: top_level_domain + normalize: [] order: 6 short: The effective top level domain (com, org, net, co.uk). type: keyword @@ -1070,6 +1147,7 @@ destination: ignore_above: 1024 level: extended name: domain + normalize: [] order: 5 original_fieldset: user short: Name of the directory the user is a member of. @@ -1081,6 +1159,7 @@ destination: ignore_above: 1024 level: extended name: email + normalize: [] order: 3 original_fieldset: user short: User email address. @@ -1098,6 +1177,7 @@ destination: norms: false type: text name: full_name + normalize: [] order: 2 original_fieldset: user short: User's full name, if available. @@ -1111,6 +1191,7 @@ destination: ignore_above: 1024 level: extended name: domain + normalize: [] order: 2 original_fieldset: group short: Name of the directory the group is a member of. @@ -1122,6 +1203,7 @@ destination: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 original_fieldset: group short: Unique identifier for the group on the system/platform. @@ -1133,6 +1215,7 @@ destination: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 original_fieldset: group short: Name of the group. @@ -1148,20 +1231,22 @@ destination: ignore_above: 1024 level: extended name: hash + normalize: [] order: 4 original_fieldset: user short: Unique user hash to correlate information for a user in anonymized form. type: keyword user.id: dashed_name: destination-user-id - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. flat_name: destination.user.id ignore_above: 1024 level: core name: id + normalize: [] order: 0 original_fieldset: user - short: One or multiple unique identifiers of the user. + short: Unique identifiers of the user. type: keyword user.name: dashed_name: destination-user-name @@ -1176,6 +1261,7 @@ destination: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: user short: Short name or login of the user. @@ -1212,6 +1298,8 @@ dns: flat_name: dns.answers level: extended name: answers + normalize: + - array object_type: keyword order: 11 short: Array of DNS answers. @@ -1224,6 +1312,7 @@ dns: ignore_above: 1024 level: extended name: answers.class + normalize: [] order: 14 short: The class of DNS data contained in this resource record. type: keyword @@ -1237,6 +1326,7 @@ dns: ignore_above: 1024 level: extended name: answers.data + normalize: [] order: 16 short: The data describing the resource. type: keyword @@ -1252,6 +1342,7 @@ dns: ignore_above: 1024 level: extended name: answers.name + normalize: [] order: 12 short: The domain name to which this resource record pertains. type: keyword @@ -1264,6 +1355,7 @@ dns: flat_name: dns.answers.ttl level: extended name: answers.ttl + normalize: [] order: 15 short: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be @@ -1277,6 +1369,7 @@ dns: ignore_above: 1024 level: extended name: answers.type + normalize: [] order: 13 short: The type of data contained in this resource record. type: keyword @@ -1292,6 +1385,8 @@ dns: ignore_above: 1024 level: extended name: header_flags + normalize: + - array order: 3 short: Array of DNS header flags. type: keyword @@ -1304,6 +1399,7 @@ dns: ignore_above: 1024 level: extended name: id + normalize: [] order: 1 short: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. @@ -1318,6 +1414,7 @@ dns: ignore_above: 1024 level: extended name: op_code + normalize: [] order: 2 short: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. @@ -1330,6 +1427,7 @@ dns: ignore_above: 1024 level: extended name: question.class + normalize: [] order: 7 short: The class of records being queried. type: keyword @@ -1346,6 +1444,7 @@ dns: ignore_above: 1024 level: extended name: question.name + normalize: [] order: 5 short: The name being queried. type: keyword @@ -1363,6 +1462,7 @@ dns: ignore_above: 1024 level: extended name: question.registered_domain + normalize: [] order: 8 short: The highest registered domain, stripped of the subdomain. type: keyword @@ -1377,6 +1477,7 @@ dns: ignore_above: 1024 level: extended name: question.subdomain + normalize: [] order: 10 short: The subdomain of the domain. type: keyword @@ -1394,6 +1495,7 @@ dns: ignore_above: 1024 level: extended name: question.top_level_domain + normalize: [] order: 9 short: The effective top level domain (com, org, net, co.uk). type: keyword @@ -1405,6 +1507,7 @@ dns: ignore_above: 1024 level: extended name: question.type + normalize: [] order: 6 short: The type of record being queried. type: keyword @@ -1422,6 +1525,8 @@ dns: flat_name: dns.resolved_ip level: extended name: resolved_ip + normalize: + - array order: 17 short: Array containing all IPs seen in answers.data type: ip @@ -1433,6 +1538,7 @@ dns: ignore_above: 1024 level: extended name: response_code + normalize: [] order: 4 short: The DNS response code. type: keyword @@ -1451,6 +1557,7 @@ dns: ignore_above: 1024 level: extended name: type + normalize: [] order: 0 short: The type of DNS event captured, query or answer. type: keyword @@ -1476,6 +1583,7 @@ ecs: ignore_above: 1024 level: core name: version + normalize: [] order: 0 required: true short: ECS version this event conforms to. @@ -1499,6 +1607,7 @@ error: ignore_above: 1024 level: core name: code + normalize: [] order: 2 short: Error code describing the error. type: keyword @@ -1509,6 +1618,7 @@ error: ignore_above: 1024 level: core name: id + normalize: [] order: 0 short: Unique identifier for the error. type: keyword @@ -1518,6 +1628,7 @@ error: flat_name: error.message level: core name: message + normalize: [] norms: false order: 1 short: Error message. @@ -1536,6 +1647,7 @@ error: norms: false type: text name: stack_trace + normalize: [] order: 4 short: The stack trace of this error in plain text. type: keyword @@ -1547,6 +1659,7 @@ error: ignore_above: 1024 level: extended name: type + normalize: [] order: 3 short: The type of the error, for example the class name of the exception. type: keyword @@ -1581,6 +1694,7 @@ event: ignore_above: 1024 level: core name: action + normalize: [] order: 4 short: The action captured by the event. type: keyword @@ -1727,6 +1841,8 @@ event: ignore_above: 1024 level: core name: category + normalize: + - array order: 3 short: Event category. The second categorization field in the hierarchy. type: keyword @@ -1742,6 +1858,7 @@ event: ignore_above: 1024 level: extended name: code + normalize: [] order: 1 short: Identification code for this event. type: keyword @@ -1763,6 +1880,7 @@ event: flat_name: event.created level: core name: created + normalize: [] order: 16 short: Time when the event was first read by an agent or by your pipeline. type: date @@ -1781,6 +1899,7 @@ event: ignore_above: 1024 level: core name: dataset + normalize: [] order: 8 short: Name of the dataset. type: keyword @@ -1795,6 +1914,7 @@ event: input_format: nanoseconds level: core name: duration + normalize: [] order: 13 output_format: asMilliseconds output_precision: 1 @@ -1807,6 +1927,7 @@ event: flat_name: event.end level: extended name: end + normalize: [] order: 18 short: event.end contains the date when the event ended or when the activity was last observed. @@ -1820,6 +1941,7 @@ event: ignore_above: 1024 level: extended name: hash + normalize: [] order: 12 short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. @@ -1832,6 +1954,7 @@ event: ignore_above: 1024 level: core name: id + normalize: [] order: 0 short: Unique ID to describe the event. type: keyword @@ -1849,6 +1972,7 @@ event: flat_name: event.ingested level: core name: ingested + normalize: [] order: 21 short: Timestamp when an event arrived in the central data store. type: date @@ -1920,6 +2044,7 @@ event: ignore_above: 1024 level: core name: kind + normalize: [] order: 2 short: The kind of the event. The highest categorization field in the hierarchy. type: keyword @@ -1935,6 +2060,7 @@ event: ignore_above: 1024 level: core name: module + normalize: [] order: 7 short: Name of the module this data is coming from. type: keyword @@ -1952,6 +2078,7 @@ event: index: false level: core name: original + normalize: [] order: 11 short: Raw text message of entire event. type: keyword @@ -1988,6 +2115,7 @@ event: ignore_above: 1024 level: core name: outcome + normalize: [] order: 5 short: The outcome of the event. The lowest categorization field in the hierarchy. type: keyword @@ -2004,6 +2132,7 @@ event: ignore_above: 1024 level: extended name: provider + normalize: [] order: 9 short: Source of the event. type: keyword @@ -2014,6 +2143,7 @@ event: flat_name: event.risk_score level: core name: risk_score + normalize: [] order: 19 short: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. @@ -2028,6 +2158,7 @@ event: flat_name: event.risk_score_norm level: extended name: risk_score_norm + normalize: [] order: 20 short: Normalized risk score or priority of the event (0-100). type: float @@ -2041,6 +2172,7 @@ event: format: string level: extended name: sequence + normalize: [] order: 14 short: Sequence number of the event. type: long @@ -2061,6 +2193,7 @@ event: format: string level: core name: severity + normalize: [] order: 10 short: Numeric severity of the event. type: long @@ -2071,6 +2204,7 @@ event: flat_name: event.start level: extended name: start + normalize: [] order: 17 short: event.start contains the date when the event started or when the activity was first observed. @@ -2087,6 +2221,7 @@ event: ignore_above: 1024 level: extended name: timezone + normalize: [] order: 15 short: Event time zone. type: keyword @@ -2175,6 +2310,8 @@ event: ignore_above: 1024 level: core name: type + normalize: + - array order: 6 short: Event type. The third categorization field in the hierarchy. type: keyword @@ -2201,6 +2338,7 @@ file: flat_name: file.accessed level: extended name: accessed + normalize: [] order: 19 short: Last time the file was accessed. type: date @@ -2216,6 +2354,8 @@ file: ignore_above: 1024 level: extended name: attributes + normalize: + - array order: 1 short: Array of file attributes. type: keyword @@ -2227,6 +2367,7 @@ file: flat_name: file.created level: extended name: created + normalize: [] order: 18 short: File creation time. type: date @@ -2239,6 +2380,7 @@ file: flat_name: file.ctime level: extended name: ctime + normalize: [] order: 17 short: Last time the file attributes or metadata changed. type: date @@ -2250,6 +2392,7 @@ file: ignore_above: 1024 level: extended name: device + normalize: [] order: 8 short: Device that is the source of the file. type: keyword @@ -2262,6 +2405,7 @@ file: ignore_above: 1024 level: extended name: directory + normalize: [] order: 2 short: Directory where the file is located. type: keyword @@ -2276,6 +2420,7 @@ file: ignore_above: 1 level: extended name: drive_letter + normalize: [] order: 3 short: Drive letter where the file is located. type: keyword @@ -2287,6 +2432,7 @@ file: ignore_above: 1024 level: extended name: extension + normalize: [] order: 6 short: File extension. type: keyword @@ -2298,6 +2444,7 @@ file: ignore_above: 1024 level: extended name: gid + normalize: [] order: 12 short: Primary group ID (GID) of the file. type: keyword @@ -2309,6 +2456,7 @@ file: ignore_above: 1024 level: extended name: group + normalize: [] order: 13 short: Primary group name of the file. type: keyword @@ -2319,6 +2467,7 @@ file: ignore_above: 1024 level: extended name: md5 + normalize: [] order: 0 original_fieldset: hash short: MD5 hash. @@ -2330,6 +2479,7 @@ file: ignore_above: 1024 level: extended name: sha1 + normalize: [] order: 1 original_fieldset: hash short: SHA1 hash. @@ -2341,6 +2491,7 @@ file: ignore_above: 1024 level: extended name: sha256 + normalize: [] order: 2 original_fieldset: hash short: SHA256 hash. @@ -2352,6 +2503,7 @@ file: ignore_above: 1024 level: extended name: sha512 + normalize: [] order: 3 original_fieldset: hash short: SHA512 hash. @@ -2364,6 +2516,7 @@ file: ignore_above: 1024 level: extended name: inode + normalize: [] order: 9 short: Inode representing the file in the filesystem. type: keyword @@ -2375,6 +2528,7 @@ file: ignore_above: 1024 level: extended name: mode + normalize: [] order: 14 short: Mode of the file in octal representation. type: keyword @@ -2384,6 +2538,7 @@ file: flat_name: file.mtime level: extended name: mtime + normalize: [] order: 16 short: Last time the file content was modified. type: date @@ -2395,6 +2550,7 @@ file: ignore_above: 1024 level: extended name: name + normalize: [] order: 0 short: Name of the file including the extension, without the directory. type: keyword @@ -2406,6 +2562,7 @@ file: ignore_above: 1024 level: extended name: owner + normalize: [] order: 11 short: File owner's username. type: keyword @@ -2423,6 +2580,7 @@ file: norms: false type: text name: path + normalize: [] order: 4 short: Full path to the file, including the file name. type: keyword @@ -2435,6 +2593,7 @@ file: flat_name: file.size level: extended name: size + normalize: [] order: 15 short: File size in bytes. type: long @@ -2450,6 +2609,7 @@ file: norms: false type: text name: target_path + normalize: [] order: 5 short: Target path for symlinks. type: keyword @@ -2461,6 +2621,7 @@ file: ignore_above: 1024 level: extended name: type + normalize: [] order: 7 short: File type (file, dir, or symlink). type: keyword @@ -2472,6 +2633,7 @@ file: ignore_above: 1024 level: extended name: uid + normalize: [] order: 10 short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword @@ -2498,6 +2660,7 @@ geo: ignore_above: 1024 level: core name: city_name + normalize: [] order: 4 short: City name. type: keyword @@ -2509,6 +2672,7 @@ geo: ignore_above: 1024 level: core name: continent_name + normalize: [] order: 1 short: Name of the continent. type: keyword @@ -2520,6 +2684,7 @@ geo: ignore_above: 1024 level: core name: country_iso_code + normalize: [] order: 5 short: Country ISO code. type: keyword @@ -2531,6 +2696,7 @@ geo: ignore_above: 1024 level: core name: country_name + normalize: [] order: 2 short: Country name. type: keyword @@ -2541,6 +2707,7 @@ geo: flat_name: geo.location level: core name: location + normalize: [] order: 0 short: Longitude and latitude. type: geo_point @@ -2558,6 +2725,7 @@ geo: ignore_above: 1024 level: extended name: name + normalize: [] order: 7 short: User-defined description of a location. type: keyword @@ -2569,6 +2737,7 @@ geo: ignore_above: 1024 level: core name: region_iso_code + normalize: [] order: 6 short: Region ISO code. type: keyword @@ -2580,6 +2749,7 @@ geo: ignore_above: 1024 level: core name: region_name + normalize: [] order: 3 short: Region name. type: keyword @@ -2611,6 +2781,7 @@ group: ignore_above: 1024 level: extended name: domain + normalize: [] order: 2 short: Name of the directory the group is a member of. type: keyword @@ -2621,6 +2792,7 @@ group: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 short: Unique identifier for the group on the system/platform. type: keyword @@ -2631,6 +2803,7 @@ group: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 short: Name of the group. type: keyword @@ -2658,6 +2831,7 @@ hash: ignore_above: 1024 level: extended name: md5 + normalize: [] order: 0 short: MD5 hash. type: keyword @@ -2668,6 +2842,7 @@ hash: ignore_above: 1024 level: extended name: sha1 + normalize: [] order: 1 short: SHA1 hash. type: keyword @@ -2678,6 +2853,7 @@ hash: ignore_above: 1024 level: extended name: sha256 + normalize: [] order: 2 short: SHA256 hash. type: keyword @@ -2688,6 +2864,7 @@ hash: ignore_above: 1024 level: extended name: sha512 + normalize: [] order: 3 short: SHA512 hash. type: keyword @@ -2718,6 +2895,7 @@ host: ignore_above: 1024 level: core name: architecture + normalize: [] order: 7 short: Operating system architecture. type: keyword @@ -2733,6 +2911,7 @@ host: ignore_above: 1024 level: extended name: domain + normalize: [] order: 8 short: Name of the directory the group is a member of. type: keyword @@ -2744,6 +2923,7 @@ host: ignore_above: 1024 level: core name: city_name + normalize: [] order: 4 original_fieldset: geo short: City name. @@ -2756,6 +2936,7 @@ host: ignore_above: 1024 level: core name: continent_name + normalize: [] order: 1 original_fieldset: geo short: Name of the continent. @@ -2768,6 +2949,7 @@ host: ignore_above: 1024 level: core name: country_iso_code + normalize: [] order: 5 original_fieldset: geo short: Country ISO code. @@ -2780,6 +2962,7 @@ host: ignore_above: 1024 level: core name: country_name + normalize: [] order: 2 original_fieldset: geo short: Country name. @@ -2791,6 +2974,7 @@ host: flat_name: host.geo.location level: core name: location + normalize: [] order: 0 original_fieldset: geo short: Longitude and latitude. @@ -2809,6 +2993,7 @@ host: ignore_above: 1024 level: extended name: name + normalize: [] order: 7 original_fieldset: geo short: User-defined description of a location. @@ -2821,6 +3006,7 @@ host: ignore_above: 1024 level: core name: region_iso_code + normalize: [] order: 6 original_fieldset: geo short: Region ISO code. @@ -2833,6 +3019,7 @@ host: ignore_above: 1024 level: core name: region_name + normalize: [] order: 3 original_fieldset: geo short: Region name. @@ -2846,6 +3033,7 @@ host: ignore_above: 1024 level: core name: hostname + normalize: [] order: 0 short: Hostname of the host. type: keyword @@ -2860,27 +3048,32 @@ host: ignore_above: 1024 level: core name: id + normalize: [] order: 2 short: Unique host id. type: keyword ip: dashed_name: host-ip - description: Host ip address. + description: Host ip addresses. flat_name: host.ip level: core name: ip + normalize: + - array order: 3 - short: Host ip address. + short: Host ip addresses. type: ip mac: dashed_name: host-mac - description: Host mac address. + description: Host mac addresses. flat_name: host.mac ignore_above: 1024 level: core name: mac + normalize: + - array order: 4 - short: Host mac address. + short: Host mac addresses. type: keyword name: dashed_name: host-name @@ -2893,6 +3086,7 @@ host: ignore_above: 1024 level: core name: name + normalize: [] order: 1 short: Name of the host. type: keyword @@ -2904,6 +3098,7 @@ host: ignore_above: 1024 level: extended name: family + normalize: [] order: 3 original_fieldset: os short: OS family (such as redhat, debian, freebsd, windows). @@ -2921,6 +3116,7 @@ host: norms: false type: text name: full + normalize: [] order: 2 original_fieldset: os short: Operating system name, including the version or code name. @@ -2933,6 +3129,7 @@ host: ignore_above: 1024 level: extended name: kernel + normalize: [] order: 5 original_fieldset: os short: Operating system kernel version as a raw string. @@ -2950,6 +3147,7 @@ host: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: os short: Operating system name, without the version. @@ -2962,6 +3160,7 @@ host: ignore_above: 1024 level: extended name: platform + normalize: [] order: 0 original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). @@ -2974,6 +3173,7 @@ host: ignore_above: 1024 level: extended name: version + normalize: [] order: 4 original_fieldset: os short: Operating system version as a raw string. @@ -2989,6 +3189,7 @@ host: ignore_above: 1024 level: core name: type + normalize: [] order: 5 short: Type of host. type: keyword @@ -2999,6 +3200,7 @@ host: flat_name: host.uptime level: extended name: uptime + normalize: [] order: 6 short: Seconds the host has been up. type: long @@ -3011,6 +3213,7 @@ host: ignore_above: 1024 level: extended name: domain + normalize: [] order: 5 original_fieldset: user short: Name of the directory the user is a member of. @@ -3022,6 +3225,7 @@ host: ignore_above: 1024 level: extended name: email + normalize: [] order: 3 original_fieldset: user short: User email address. @@ -3039,6 +3243,7 @@ host: norms: false type: text name: full_name + normalize: [] order: 2 original_fieldset: user short: User's full name, if available. @@ -3052,6 +3257,7 @@ host: ignore_above: 1024 level: extended name: domain + normalize: [] order: 2 original_fieldset: group short: Name of the directory the group is a member of. @@ -3063,6 +3269,7 @@ host: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 original_fieldset: group short: Unique identifier for the group on the system/platform. @@ -3074,6 +3281,7 @@ host: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 original_fieldset: group short: Name of the group. @@ -3089,20 +3297,22 @@ host: ignore_above: 1024 level: extended name: hash + normalize: [] order: 4 original_fieldset: user short: Unique user hash to correlate information for a user in anonymized form. type: keyword user.id: dashed_name: host-user-id - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. flat_name: host.user.id ignore_above: 1024 level: core name: id + normalize: [] order: 0 original_fieldset: user - short: One or multiple unique identifiers of the user. + short: Unique identifiers of the user. type: keyword user.name: dashed_name: host-user-name @@ -3117,6 +3327,7 @@ host: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: user short: Short name or login of the user. @@ -3143,6 +3354,7 @@ http: format: bytes level: extended name: request.body.bytes + normalize: [] order: 7 short: Size in bytes of the request body. type: long @@ -3159,6 +3371,7 @@ http: norms: false type: text name: request.body.content + normalize: [] order: 1 short: The full HTTP request body. type: keyword @@ -3170,6 +3383,7 @@ http: format: bytes level: extended name: request.bytes + normalize: [] order: 6 short: Total size in bytes of the request (body and headers). type: long @@ -3184,6 +3398,7 @@ http: ignore_above: 1024 level: extended name: request.method + normalize: [] order: 0 short: HTTP request method. type: keyword @@ -3195,6 +3410,7 @@ http: ignore_above: 1024 level: extended name: request.referrer + normalize: [] order: 2 short: Referrer for this HTTP request. type: keyword @@ -3206,6 +3422,7 @@ http: format: bytes level: extended name: response.body.bytes + normalize: [] order: 9 short: Size in bytes of the response body. type: long @@ -3222,6 +3439,7 @@ http: norms: false type: text name: response.body.content + normalize: [] order: 4 short: The full HTTP response body. type: keyword @@ -3233,6 +3451,7 @@ http: format: bytes level: extended name: response.bytes + normalize: [] order: 8 short: Total size in bytes of the response (body and headers). type: long @@ -3244,6 +3463,7 @@ http: format: string level: extended name: response.status_code + normalize: [] order: 3 short: HTTP response status code. type: long @@ -3255,6 +3475,7 @@ http: ignore_above: 1024 level: extended name: version + normalize: [] order: 5 short: HTTP version. type: keyword @@ -3288,6 +3509,7 @@ log: ignore_above: 1024 level: core name: level + normalize: [] order: 0 short: Log level of the log event. type: keyword @@ -3300,6 +3522,7 @@ log: ignore_above: 1024 level: core name: logger + normalize: [] order: 2 short: Name of the logger. type: keyword @@ -3311,6 +3534,7 @@ log: flat_name: log.origin.file.line level: extended name: origin.file.line + normalize: [] order: 4 short: The line number of the file which originated the log event. type: integer @@ -3323,6 +3547,7 @@ log: ignore_above: 1024 level: extended name: origin.file.name + normalize: [] order: 3 short: The file which originated the log event. type: keyword @@ -3334,6 +3559,7 @@ log: ignore_above: 1024 level: extended name: origin.function + normalize: [] order: 5 short: The function which originated the log event. type: keyword @@ -3356,6 +3582,7 @@ log: index: false level: core name: original + normalize: [] order: 1 short: Original log message with light interpretation only (encoding, newlines). type: keyword @@ -3366,6 +3593,7 @@ log: flat_name: log.syslog level: extended name: syslog + normalize: [] object_type: keyword order: 6 short: Syslog metadata @@ -3381,6 +3609,7 @@ log: format: string level: extended name: syslog.facility.code + normalize: [] order: 9 short: Syslog numeric facility of the event. type: long @@ -3392,6 +3621,7 @@ log: ignore_above: 1024 level: extended name: syslog.facility.name + normalize: [] order: 10 short: Syslog text-based facility of the event. type: keyword @@ -3406,6 +3636,7 @@ log: format: string level: extended name: syslog.priority + normalize: [] order: 11 short: Syslog priority of the event. type: long @@ -3421,6 +3652,7 @@ log: flat_name: log.syslog.severity.code level: extended name: syslog.severity.code + normalize: [] order: 7 short: Syslog numeric severity of the event. type: long @@ -3437,6 +3669,7 @@ log: ignore_above: 1024 level: extended name: syslog.severity.name + normalize: [] order: 8 short: Syslog text-based severity of the event. type: keyword @@ -3468,6 +3701,7 @@ network: ignore_above: 1024 level: extended name: application + normalize: [] order: 4 short: Application level protocol name. type: keyword @@ -3482,6 +3716,7 @@ network: format: bytes level: core name: bytes + normalize: [] order: 9 short: Total bytes transferred in both directions. type: long @@ -3497,6 +3732,7 @@ network: ignore_above: 1024 level: extended name: community_id + normalize: [] order: 8 short: A hash of source and destination IPs and ports. type: keyword @@ -3513,6 +3749,7 @@ network: ignore_above: 1024 level: core name: direction + normalize: [] order: 6 short: Direction of the network traffic. type: keyword @@ -3523,6 +3760,7 @@ network: flat_name: network.forwarded_ip level: core name: forwarded_ip + normalize: [] order: 7 short: Host IP address when the source IP address is the proxy. type: ip @@ -3536,6 +3774,7 @@ network: ignore_above: 1024 level: extended name: iana_number + normalize: [] order: 2 short: IANA Protocol Number. type: keyword @@ -3547,6 +3786,7 @@ network: ignore_above: 1024 level: extended name: name + normalize: [] order: 0 short: Name given by operators to sections of their network. type: keyword @@ -3560,6 +3800,7 @@ network: flat_name: network.packets level: core name: packets + normalize: [] order: 10 short: Total packets transferred in both directions. type: long @@ -3574,6 +3815,7 @@ network: ignore_above: 1024 level: core name: protocol + normalize: [] order: 5 short: L7 Network protocol name. type: keyword @@ -3589,6 +3831,7 @@ network: ignore_above: 1024 level: core name: transport + normalize: [] order: 3 short: Protocol Name corresponding to the field `iana_number`. type: keyword @@ -3604,6 +3847,7 @@ network: ignore_above: 1024 level: core name: type + normalize: [] order: 1 short: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc @@ -3636,6 +3880,7 @@ observer: ignore_above: 1024 level: core name: city_name + normalize: [] order: 4 original_fieldset: geo short: City name. @@ -3648,6 +3893,7 @@ observer: ignore_above: 1024 level: core name: continent_name + normalize: [] order: 1 original_fieldset: geo short: Name of the continent. @@ -3660,6 +3906,7 @@ observer: ignore_above: 1024 level: core name: country_iso_code + normalize: [] order: 5 original_fieldset: geo short: Country ISO code. @@ -3672,6 +3919,7 @@ observer: ignore_above: 1024 level: core name: country_name + normalize: [] order: 2 original_fieldset: geo short: Country name. @@ -3683,6 +3931,7 @@ observer: flat_name: observer.geo.location level: core name: location + normalize: [] order: 0 original_fieldset: geo short: Longitude and latitude. @@ -3701,6 +3950,7 @@ observer: ignore_above: 1024 level: extended name: name + normalize: [] order: 7 original_fieldset: geo short: User-defined description of a location. @@ -3713,6 +3963,7 @@ observer: ignore_above: 1024 level: core name: region_iso_code + normalize: [] order: 6 original_fieldset: geo short: Region ISO code. @@ -3725,6 +3976,7 @@ observer: ignore_above: 1024 level: core name: region_name + normalize: [] order: 3 original_fieldset: geo short: Region name. @@ -3736,27 +3988,32 @@ observer: ignore_above: 1024 level: core name: hostname + normalize: [] order: 2 short: Hostname of the observer. type: keyword ip: dashed_name: observer-ip - description: IP address of the observer. + description: IP addresses of the observer. flat_name: observer.ip level: core name: ip + normalize: + - array order: 1 - short: IP address of the observer. + short: IP addresses of the observer. type: ip mac: dashed_name: observer-mac - description: MAC address of the observer + description: MAC addresses of the observer flat_name: observer.mac ignore_above: 1024 level: core name: mac + normalize: + - array order: 0 - short: MAC address of the observer + short: MAC addresses of the observer type: keyword name: dashed_name: observer-name @@ -3771,6 +4028,7 @@ observer: ignore_above: 1024 level: extended name: name + normalize: [] order: 3 short: Custom name of the observer. type: keyword @@ -3782,6 +4040,7 @@ observer: ignore_above: 1024 level: extended name: family + normalize: [] order: 3 original_fieldset: os short: OS family (such as redhat, debian, freebsd, windows). @@ -3799,6 +4058,7 @@ observer: norms: false type: text name: full + normalize: [] order: 2 original_fieldset: os short: Operating system name, including the version or code name. @@ -3811,6 +4071,7 @@ observer: ignore_above: 1024 level: extended name: kernel + normalize: [] order: 5 original_fieldset: os short: Operating system kernel version as a raw string. @@ -3828,6 +4089,7 @@ observer: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: os short: Operating system name, without the version. @@ -3840,6 +4102,7 @@ observer: ignore_above: 1024 level: extended name: platform + normalize: [] order: 0 original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). @@ -3852,6 +4115,7 @@ observer: ignore_above: 1024 level: extended name: version + normalize: [] order: 4 original_fieldset: os short: Operating system version as a raw string. @@ -3864,6 +4128,7 @@ observer: ignore_above: 1024 level: extended name: product + normalize: [] order: 4 short: The product name of the observer. type: keyword @@ -3874,6 +4139,7 @@ observer: ignore_above: 1024 level: extended name: serial_number + normalize: [] order: 7 short: Observer serial number. type: keyword @@ -3888,6 +4154,7 @@ observer: ignore_above: 1024 level: core name: type + normalize: [] order: 8 short: The type of the observer the data is coming from. type: keyword @@ -3899,6 +4166,7 @@ observer: ignore_above: 1024 level: core name: vendor + normalize: [] order: 5 short: Vendor name of the observer. type: keyword @@ -3909,6 +4177,7 @@ observer: ignore_above: 1024 level: core name: version + normalize: [] order: 6 short: Observer version. type: keyword @@ -3935,6 +4204,7 @@ organization: ignore_above: 1024 level: extended name: id + normalize: [] order: 1 short: Unique identifier for the organization. type: keyword @@ -3950,6 +4220,7 @@ organization: norms: false type: text name: name + normalize: [] order: 0 short: Organization name. type: keyword @@ -3970,6 +4241,7 @@ os: ignore_above: 1024 level: extended name: family + normalize: [] order: 3 short: OS family (such as redhat, debian, freebsd, windows). type: keyword @@ -3986,6 +4258,7 @@ os: norms: false type: text name: full + normalize: [] order: 2 short: Operating system name, including the version or code name. type: keyword @@ -3997,6 +4270,7 @@ os: ignore_above: 1024 level: extended name: kernel + normalize: [] order: 5 short: Operating system kernel version as a raw string. type: keyword @@ -4013,6 +4287,7 @@ os: norms: false type: text name: name + normalize: [] order: 1 short: Operating system name, without the version. type: keyword @@ -4024,6 +4299,7 @@ os: ignore_above: 1024 level: extended name: platform + normalize: [] order: 0 short: Operating system platform (such centos, ubuntu, windows). type: keyword @@ -4035,6 +4311,7 @@ os: ignore_above: 1024 level: extended name: version + normalize: [] order: 4 short: Operating system version as a raw string. type: keyword @@ -4063,6 +4340,7 @@ package: ignore_above: 1024 level: extended name: architecture + normalize: [] order: 7 short: Package architecture. type: keyword @@ -4077,6 +4355,7 @@ package: ignore_above: 1024 level: extended name: build_version + normalize: [] order: 2 short: Build version information type: keyword @@ -4088,6 +4367,7 @@ package: ignore_above: 1024 level: extended name: checksum + normalize: [] order: 8 short: Checksum of the installed package for verification. type: keyword @@ -4100,6 +4380,7 @@ package: ignore_above: 1024 level: extended name: description + normalize: [] order: 3 short: Description of the package. type: keyword @@ -4111,6 +4392,7 @@ package: ignore_above: 1024 level: extended name: install_scope + normalize: [] order: 9 short: Indicating how the package was installed, e.g. user-local, global. type: keyword @@ -4120,6 +4402,7 @@ package: flat_name: package.installed level: extended name: installed + normalize: [] order: 5 short: Time when package was installed. type: date @@ -4134,6 +4417,7 @@ package: ignore_above: 1024 level: extended name: license + normalize: [] order: 10 short: Package license type: keyword @@ -4145,6 +4429,7 @@ package: ignore_above: 1024 level: extended name: name + normalize: [] order: 0 short: Package name type: keyword @@ -4156,6 +4441,7 @@ package: ignore_above: 1024 level: extended name: path + normalize: [] order: 6 short: Path where the package is installed. type: keyword @@ -4168,6 +4454,7 @@ package: ignore_above: 1024 level: extended name: reference + normalize: [] order: 11 short: Package home page or reference URL type: keyword @@ -4179,6 +4466,7 @@ package: format: string level: extended name: size + normalize: [] order: 4 short: Package size in bytes. type: long @@ -4193,6 +4481,7 @@ package: ignore_above: 1024 level: extended name: type + normalize: [] order: 12 short: Package type type: keyword @@ -4204,6 +4493,7 @@ package: ignore_above: 1024 level: extended name: version + normalize: [] order: 1 short: Package version type: keyword @@ -4235,6 +4525,8 @@ process: ignore_above: 1024 level: extended name: args + normalize: + - array order: 10 short: Array of process arguments. type: keyword @@ -4249,6 +4541,7 @@ process: flat_name: process.args_count level: extended name: args_count + normalize: [] order: 12 short: Length of the process.args array. type: long @@ -4268,6 +4561,7 @@ process: norms: false type: text name: command_line + normalize: [] order: 8 short: Full command line that started the process. type: keyword @@ -4284,6 +4578,7 @@ process: norms: false type: text name: executable + normalize: [] order: 14 short: Absolute path to the process executable. type: keyword @@ -4297,6 +4592,7 @@ process: flat_name: process.exit_code level: extended name: exit_code + normalize: [] order: 28 short: The exit code of the process. type: long @@ -4307,6 +4603,7 @@ process: ignore_above: 1024 level: extended name: md5 + normalize: [] order: 0 original_fieldset: hash short: MD5 hash. @@ -4318,6 +4615,7 @@ process: ignore_above: 1024 level: extended name: sha1 + normalize: [] order: 1 original_fieldset: hash short: SHA1 hash. @@ -4329,6 +4627,7 @@ process: ignore_above: 1024 level: extended name: sha256 + normalize: [] order: 2 original_fieldset: hash short: SHA256 hash. @@ -4340,6 +4639,7 @@ process: ignore_above: 1024 level: extended name: sha512 + normalize: [] order: 3 original_fieldset: hash short: SHA512 hash. @@ -4359,6 +4659,7 @@ process: norms: false type: text name: name + normalize: [] order: 2 short: Process name. type: keyword @@ -4376,6 +4677,8 @@ process: ignore_above: 1024 level: extended name: parent.args + normalize: + - array order: 11 short: Array of process arguments. type: keyword @@ -4390,6 +4693,7 @@ process: flat_name: process.parent.args_count level: extended name: parent.args_count + normalize: [] order: 13 short: Length of the process.args array. type: long @@ -4409,6 +4713,7 @@ process: norms: false type: text name: parent.command_line + normalize: [] order: 9 short: Full command line that started the process. type: keyword @@ -4425,6 +4730,7 @@ process: norms: false type: text name: parent.executable + normalize: [] order: 15 short: Absolute path to the process executable. type: keyword @@ -4438,6 +4744,7 @@ process: flat_name: process.parent.exit_code level: extended name: parent.exit_code + normalize: [] order: 29 short: The exit code of the process. type: long @@ -4448,6 +4755,7 @@ process: ignore_above: 1024 level: extended name: md5 + normalize: [] order: 0 original_fieldset: hash short: MD5 hash. @@ -4459,6 +4767,7 @@ process: ignore_above: 1024 level: extended name: sha1 + normalize: [] order: 1 original_fieldset: hash short: SHA1 hash. @@ -4470,6 +4779,7 @@ process: ignore_above: 1024 level: extended name: sha256 + normalize: [] order: 2 original_fieldset: hash short: SHA256 hash. @@ -4481,6 +4791,7 @@ process: ignore_above: 1024 level: extended name: sha512 + normalize: [] order: 3 original_fieldset: hash short: SHA512 hash. @@ -4500,6 +4811,7 @@ process: norms: false type: text name: parent.name + normalize: [] order: 3 short: Process name. type: keyword @@ -4510,6 +4822,7 @@ process: format: string level: extended name: parent.pgid + normalize: [] order: 7 short: Identifier of the group of processes the process belongs to. type: long @@ -4521,6 +4834,7 @@ process: format: string level: core name: parent.pid + normalize: [] order: 1 short: Process id. type: long @@ -4532,6 +4846,7 @@ process: format: string level: extended name: parent.ppid + normalize: [] order: 5 short: Parent process' pid. type: long @@ -4542,6 +4857,7 @@ process: flat_name: process.parent.start level: extended name: parent.start + normalize: [] order: 23 short: The time the process started. type: date @@ -4553,6 +4869,7 @@ process: format: string level: extended name: parent.thread.id + normalize: [] order: 19 short: Thread ID. type: long @@ -4564,6 +4881,7 @@ process: ignore_above: 1024 level: extended name: parent.thread.name + normalize: [] order: 21 short: Thread name. type: keyword @@ -4582,6 +4900,7 @@ process: norms: false type: text name: parent.title + normalize: [] order: 17 short: Process title. type: keyword @@ -4592,6 +4911,7 @@ process: flat_name: process.parent.uptime level: extended name: parent.uptime + normalize: [] order: 25 short: Seconds the process has been up. type: long @@ -4608,6 +4928,7 @@ process: norms: false type: text name: parent.working_directory + normalize: [] order: 27 short: The working directory of the process. type: keyword @@ -4618,6 +4939,7 @@ process: format: string level: extended name: pgid + normalize: [] order: 6 short: Identifier of the group of processes the process belongs to. type: long @@ -4629,6 +4951,7 @@ process: format: string level: core name: pid + normalize: [] order: 0 short: Process id. type: long @@ -4640,6 +4963,7 @@ process: format: string level: extended name: ppid + normalize: [] order: 4 short: Parent process' pid. type: long @@ -4650,6 +4974,7 @@ process: flat_name: process.start level: extended name: start + normalize: [] order: 22 short: The time the process started. type: date @@ -4661,6 +4986,7 @@ process: format: string level: extended name: thread.id + normalize: [] order: 18 short: Thread ID. type: long @@ -4672,6 +4998,7 @@ process: ignore_above: 1024 level: extended name: thread.name + normalize: [] order: 20 short: Thread name. type: keyword @@ -4690,6 +5017,7 @@ process: norms: false type: text name: title + normalize: [] order: 16 short: Process title. type: keyword @@ -4700,6 +5028,7 @@ process: flat_name: process.uptime level: extended name: uptime + normalize: [] order: 24 short: Seconds the process has been up. type: long @@ -4716,6 +5045,7 @@ process: norms: false type: text name: working_directory + normalize: [] order: 26 short: The working directory of the process. type: keyword @@ -4742,6 +5072,7 @@ registry: ignore_above: 1024 level: extended name: data.bytes + normalize: [] order: 6 short: Original bytes written with base64 encoding. type: keyword @@ -4759,6 +5090,7 @@ registry: ignore_above: 1024 level: core name: data.strings + normalize: [] order: 5 short: List of strings representing what was written to the registry. type: keyword @@ -4770,6 +5102,7 @@ registry: ignore_above: 1024 level: core name: data.type + normalize: [] order: 4 short: Standard registry type for encoding contents type: keyword @@ -4781,6 +5114,7 @@ registry: ignore_above: 1024 level: core name: hive + normalize: [] order: 0 short: Abbreviated name for the hive. type: keyword @@ -4792,6 +5126,7 @@ registry: ignore_above: 1024 level: core name: key + normalize: [] order: 1 short: Hive-relative path of keys. type: keyword @@ -4804,6 +5139,7 @@ registry: ignore_above: 1024 level: core name: path + normalize: [] order: 3 short: Full path, including hive, key and value type: keyword @@ -4815,6 +5151,7 @@ registry: ignore_above: 1024 level: core name: value + normalize: [] order: 2 short: Name of the value written. type: keyword @@ -4845,6 +5182,8 @@ related: ignore_above: 1024 level: extended name: hash + normalize: + - array order: 2 short: All the hashes seen on your event. type: keyword @@ -4854,6 +5193,8 @@ related: flat_name: related.ip level: extended name: ip + normalize: + - array order: 0 short: All of the IPs seen on your event. type: ip @@ -4864,6 +5205,8 @@ related: ignore_above: 1024 level: extended name: user + normalize: + - array order: 1 short: All the user names seen on your event. type: keyword @@ -4890,6 +5233,7 @@ rule: ignore_above: 1024 level: extended name: category + normalize: [] order: 5 short: Rule category type: keyword @@ -4901,6 +5245,7 @@ rule: ignore_above: 1024 level: extended name: description + normalize: [] order: 4 short: Rule description type: keyword @@ -4913,6 +5258,7 @@ rule: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 short: Rule ID type: keyword @@ -4924,6 +5270,7 @@ rule: ignore_above: 1024 level: extended name: name + normalize: [] order: 3 short: Rule name type: keyword @@ -4940,6 +5287,7 @@ rule: ignore_above: 1024 level: extended name: reference + normalize: [] order: 7 short: Rule reference URL type: keyword @@ -4952,6 +5300,7 @@ rule: ignore_above: 1024 level: extended name: ruleset + normalize: [] order: 6 short: Rule ruleset type: keyword @@ -4965,6 +5314,7 @@ rule: ignore_above: 1024 level: extended name: uuid + normalize: [] order: 1 short: Rule UUID type: keyword @@ -4976,6 +5326,7 @@ rule: ignore_above: 1024 level: extended name: version + normalize: [] order: 2 short: Rule version type: keyword @@ -5015,6 +5366,7 @@ server: ignore_above: 1024 level: extended name: address + normalize: [] order: 0 short: Server network address. type: keyword @@ -5026,6 +5378,7 @@ server: flat_name: server.as.number level: extended name: number + normalize: [] order: 0 original_fieldset: as short: Unique number allocated to the autonomous system. The autonomous system @@ -5044,6 +5397,7 @@ server: norms: false type: text name: organization.name + normalize: [] order: 1 original_fieldset: as short: Organization name. @@ -5056,6 +5410,7 @@ server: format: bytes level: core name: bytes + normalize: [] order: 7 short: Bytes sent from the server to the client. type: long @@ -5066,6 +5421,7 @@ server: ignore_above: 1024 level: core name: domain + normalize: [] order: 4 short: Server domain. type: keyword @@ -5077,6 +5433,7 @@ server: ignore_above: 1024 level: core name: city_name + normalize: [] order: 4 original_fieldset: geo short: City name. @@ -5089,6 +5446,7 @@ server: ignore_above: 1024 level: core name: continent_name + normalize: [] order: 1 original_fieldset: geo short: Name of the continent. @@ -5101,6 +5459,7 @@ server: ignore_above: 1024 level: core name: country_iso_code + normalize: [] order: 5 original_fieldset: geo short: Country ISO code. @@ -5113,6 +5472,7 @@ server: ignore_above: 1024 level: core name: country_name + normalize: [] order: 2 original_fieldset: geo short: Country name. @@ -5124,6 +5484,7 @@ server: flat_name: server.geo.location level: core name: location + normalize: [] order: 0 original_fieldset: geo short: Longitude and latitude. @@ -5142,6 +5503,7 @@ server: ignore_above: 1024 level: extended name: name + normalize: [] order: 7 original_fieldset: geo short: User-defined description of a location. @@ -5154,6 +5516,7 @@ server: ignore_above: 1024 level: core name: region_iso_code + normalize: [] order: 6 original_fieldset: geo short: Region ISO code. @@ -5166,6 +5529,7 @@ server: ignore_above: 1024 level: core name: region_name + normalize: [] order: 3 original_fieldset: geo short: Region name. @@ -5178,6 +5542,7 @@ server: flat_name: server.ip level: core name: ip + normalize: [] order: 1 short: IP address of the server. type: ip @@ -5188,6 +5553,7 @@ server: ignore_above: 1024 level: core name: mac + normalize: [] order: 3 short: MAC address of the server. type: keyword @@ -5200,6 +5566,7 @@ server: flat_name: server.nat.ip level: extended name: nat.ip + normalize: [] order: 9 short: Server NAT ip type: ip @@ -5213,6 +5580,7 @@ server: format: string level: extended name: nat.port + normalize: [] order: 10 short: Server NAT port type: long @@ -5223,6 +5591,7 @@ server: flat_name: server.packets level: core name: packets + normalize: [] order: 8 short: Packets sent from the server to the client. type: long @@ -5233,6 +5602,7 @@ server: format: string level: core name: port + normalize: [] order: 2 short: Port of the server. type: long @@ -5250,6 +5620,7 @@ server: ignore_above: 1024 level: extended name: registered_domain + normalize: [] order: 5 short: The highest registered server domain, stripped of the subdomain. type: keyword @@ -5267,6 +5638,7 @@ server: ignore_above: 1024 level: extended name: top_level_domain + normalize: [] order: 6 short: The effective top level domain (com, org, net, co.uk). type: keyword @@ -5279,6 +5651,7 @@ server: ignore_above: 1024 level: extended name: domain + normalize: [] order: 5 original_fieldset: user short: Name of the directory the user is a member of. @@ -5290,6 +5663,7 @@ server: ignore_above: 1024 level: extended name: email + normalize: [] order: 3 original_fieldset: user short: User email address. @@ -5307,6 +5681,7 @@ server: norms: false type: text name: full_name + normalize: [] order: 2 original_fieldset: user short: User's full name, if available. @@ -5320,6 +5695,7 @@ server: ignore_above: 1024 level: extended name: domain + normalize: [] order: 2 original_fieldset: group short: Name of the directory the group is a member of. @@ -5331,6 +5707,7 @@ server: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 original_fieldset: group short: Unique identifier for the group on the system/platform. @@ -5342,6 +5719,7 @@ server: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 original_fieldset: group short: Name of the group. @@ -5357,20 +5735,22 @@ server: ignore_above: 1024 level: extended name: hash + normalize: [] order: 4 original_fieldset: user short: Unique user hash to correlate information for a user in anonymized form. type: keyword user.id: dashed_name: server-user-id - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. flat_name: server.user.id ignore_above: 1024 level: core name: id + normalize: [] order: 0 original_fieldset: user - short: One or multiple unique identifiers of the user. + short: Unique identifiers of the user. type: keyword user.name: dashed_name: server-user-name @@ -5385,6 +5765,7 @@ server: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: user short: Short name or login of the user. @@ -5415,6 +5796,7 @@ service: ignore_above: 1024 level: extended name: ephemeral_id + normalize: [] order: 6 short: Ephemeral identifier of this service. type: keyword @@ -5434,6 +5816,7 @@ service: ignore_above: 1024 level: core name: id + normalize: [] order: 0 short: Unique identifier of the running service. type: keyword @@ -5453,6 +5836,7 @@ service: ignore_above: 1024 level: core name: name + normalize: [] order: 1 short: Name of the service. type: keyword @@ -5475,6 +5859,7 @@ service: ignore_above: 1024 level: extended name: node.name + normalize: [] order: 2 short: Name of the service node. type: keyword @@ -5485,6 +5870,7 @@ service: ignore_above: 1024 level: core name: state + normalize: [] order: 4 short: Current state of the service. type: keyword @@ -5502,6 +5888,7 @@ service: ignore_above: 1024 level: core name: type + normalize: [] order: 3 short: The type of the service. type: keyword @@ -5515,6 +5902,7 @@ service: ignore_above: 1024 level: core name: version + normalize: [] order: 5 short: Version of the service. type: keyword @@ -5541,6 +5929,7 @@ source: ignore_above: 1024 level: extended name: address + normalize: [] order: 0 short: Source network address. type: keyword @@ -5552,6 +5941,7 @@ source: flat_name: source.as.number level: extended name: number + normalize: [] order: 0 original_fieldset: as short: Unique number allocated to the autonomous system. The autonomous system @@ -5570,6 +5960,7 @@ source: norms: false type: text name: organization.name + normalize: [] order: 1 original_fieldset: as short: Organization name. @@ -5582,6 +5973,7 @@ source: format: bytes level: core name: bytes + normalize: [] order: 7 short: Bytes sent from the source to the destination. type: long @@ -5592,6 +5984,7 @@ source: ignore_above: 1024 level: core name: domain + normalize: [] order: 4 short: Source domain. type: keyword @@ -5603,6 +5996,7 @@ source: ignore_above: 1024 level: core name: city_name + normalize: [] order: 4 original_fieldset: geo short: City name. @@ -5615,6 +6009,7 @@ source: ignore_above: 1024 level: core name: continent_name + normalize: [] order: 1 original_fieldset: geo short: Name of the continent. @@ -5627,6 +6022,7 @@ source: ignore_above: 1024 level: core name: country_iso_code + normalize: [] order: 5 original_fieldset: geo short: Country ISO code. @@ -5639,6 +6035,7 @@ source: ignore_above: 1024 level: core name: country_name + normalize: [] order: 2 original_fieldset: geo short: Country name. @@ -5650,6 +6047,7 @@ source: flat_name: source.geo.location level: core name: location + normalize: [] order: 0 original_fieldset: geo short: Longitude and latitude. @@ -5668,6 +6066,7 @@ source: ignore_above: 1024 level: extended name: name + normalize: [] order: 7 original_fieldset: geo short: User-defined description of a location. @@ -5680,6 +6079,7 @@ source: ignore_above: 1024 level: core name: region_iso_code + normalize: [] order: 6 original_fieldset: geo short: Region ISO code. @@ -5692,6 +6092,7 @@ source: ignore_above: 1024 level: core name: region_name + normalize: [] order: 3 original_fieldset: geo short: Region name. @@ -5704,6 +6105,7 @@ source: flat_name: source.ip level: core name: ip + normalize: [] order: 1 short: IP address of the source. type: ip @@ -5714,6 +6116,7 @@ source: ignore_above: 1024 level: core name: mac + normalize: [] order: 3 short: MAC address of the source. type: keyword @@ -5726,6 +6129,7 @@ source: flat_name: source.nat.ip level: extended name: nat.ip + normalize: [] order: 9 short: Source NAT ip type: ip @@ -5739,6 +6143,7 @@ source: format: string level: extended name: nat.port + normalize: [] order: 10 short: Source NAT port type: long @@ -5749,6 +6154,7 @@ source: flat_name: source.packets level: core name: packets + normalize: [] order: 8 short: Packets sent from the source to the destination. type: long @@ -5759,6 +6165,7 @@ source: format: string level: core name: port + normalize: [] order: 2 short: Port of the source. type: long @@ -5776,6 +6183,7 @@ source: ignore_above: 1024 level: extended name: registered_domain + normalize: [] order: 5 short: The highest registered source domain, stripped of the subdomain. type: keyword @@ -5793,6 +6201,7 @@ source: ignore_above: 1024 level: extended name: top_level_domain + normalize: [] order: 6 short: The effective top level domain (com, org, net, co.uk). type: keyword @@ -5805,6 +6214,7 @@ source: ignore_above: 1024 level: extended name: domain + normalize: [] order: 5 original_fieldset: user short: Name of the directory the user is a member of. @@ -5816,6 +6226,7 @@ source: ignore_above: 1024 level: extended name: email + normalize: [] order: 3 original_fieldset: user short: User email address. @@ -5833,6 +6244,7 @@ source: norms: false type: text name: full_name + normalize: [] order: 2 original_fieldset: user short: User's full name, if available. @@ -5846,6 +6258,7 @@ source: ignore_above: 1024 level: extended name: domain + normalize: [] order: 2 original_fieldset: group short: Name of the directory the group is a member of. @@ -5857,6 +6270,7 @@ source: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 original_fieldset: group short: Unique identifier for the group on the system/platform. @@ -5868,6 +6282,7 @@ source: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 original_fieldset: group short: Name of the group. @@ -5883,20 +6298,22 @@ source: ignore_above: 1024 level: extended name: hash + normalize: [] order: 4 original_fieldset: user short: Unique user hash to correlate information for a user in anonymized form. type: keyword user.id: dashed_name: source-user-id - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. flat_name: source.user.id ignore_above: 1024 level: core name: id + normalize: [] order: 0 original_fieldset: user - short: One or multiple unique identifiers of the user. + short: Unique identifiers of the user. type: keyword user.name: dashed_name: source-user-name @@ -5911,6 +6328,7 @@ source: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: user short: Short name or login of the user. @@ -5946,6 +6364,7 @@ threat: ignore_above: 1024 level: extended name: framework + normalize: [] order: 0 short: Threat classification framework. type: keyword @@ -5959,6 +6378,8 @@ threat: ignore_above: 1024 level: extended name: tactic.id + normalize: + - array order: 2 short: Threat tactic id. type: keyword @@ -5972,6 +6393,8 @@ threat: ignore_above: 1024 level: extended name: tactic.name + normalize: + - array order: 1 short: Threat tactic. type: keyword @@ -5985,6 +6408,8 @@ threat: ignore_above: 1024 level: extended name: tactic.reference + normalize: + - array order: 3 short: Threat tactic url reference. type: keyword @@ -5998,6 +6423,8 @@ threat: ignore_above: 1024 level: extended name: technique.id + normalize: + - array order: 5 short: Threat technique id. type: keyword @@ -6016,6 +6443,8 @@ threat: norms: false type: text name: technique.name + normalize: + - array order: 4 short: Threat technique name. type: keyword @@ -6029,6 +6458,8 @@ threat: ignore_above: 1024 level: extended name: technique.reference + normalize: + - array order: 6 short: Threat technique reference. type: keyword @@ -6051,6 +6482,7 @@ tls: ignore_above: 1024 level: extended name: cipher + normalize: [] order: 2 short: String indicating the cipher used during the current connection. type: keyword @@ -6064,6 +6496,7 @@ tls: ignore_above: 1024 level: extended name: client.certificate + normalize: [] order: 15 short: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists @@ -6081,6 +6514,8 @@ tls: ignore_above: 1024 level: extended name: client.certificate_chain + normalize: + - array order: 14 short: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` @@ -6096,6 +6531,7 @@ tls: ignore_above: 1024 level: extended name: client.hash.md5 + normalize: [] order: 16 short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, @@ -6111,6 +6547,7 @@ tls: ignore_above: 1024 level: extended name: client.hash.sha1 + normalize: [] order: 17 short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, @@ -6126,6 +6563,7 @@ tls: ignore_above: 1024 level: extended name: client.hash.sha256 + normalize: [] order: 18 short: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, @@ -6140,6 +6578,7 @@ tls: ignore_above: 1024 level: extended name: client.issuer + normalize: [] order: 11 short: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. @@ -6153,6 +6592,7 @@ tls: ignore_above: 1024 level: extended name: client.ja3 + normalize: [] order: 7 short: A hash that identifies clients based on how they perform an SSL/TLS handshake. type: keyword @@ -6164,6 +6604,7 @@ tls: flat_name: tls.client.not_after level: extended name: client.not_after + normalize: [] order: 13 short: Date/Time indicating when client certificate is no longer considered valid. @@ -6176,6 +6617,7 @@ tls: flat_name: tls.client.not_before level: extended name: client.not_before + normalize: [] order: 12 short: Date/Time indicating when client certificate is first considered valid. type: date @@ -6189,6 +6631,7 @@ tls: ignore_above: 1024 level: extended name: client.server_name + normalize: [] order: 8 short: Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get @@ -6203,6 +6646,7 @@ tls: ignore_above: 1024 level: extended name: client.subject + normalize: [] order: 10 short: Distinguished name of subject of the x.509 certificate presented by the client. @@ -6218,6 +6662,8 @@ tls: ignore_above: 1024 level: extended name: client.supported_ciphers + normalize: + - array order: 9 short: Array of ciphers offered by the client during the client hello. type: keyword @@ -6229,6 +6675,7 @@ tls: ignore_above: 1024 level: extended name: curve + normalize: [] order: 3 short: String indicating the curve used for the given cipher, when applicable. type: keyword @@ -6239,6 +6686,7 @@ tls: flat_name: tls.established level: extended name: established + normalize: [] order: 5 short: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. @@ -6253,6 +6701,7 @@ tls: ignore_above: 1024 level: extended name: next_protocol + normalize: [] order: 6 short: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), @@ -6265,6 +6714,7 @@ tls: flat_name: tls.resumed level: extended name: resumed + normalize: [] order: 4 short: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. @@ -6279,6 +6729,7 @@ tls: ignore_above: 1024 level: extended name: server.certificate + normalize: [] order: 25 short: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists @@ -6296,6 +6747,8 @@ tls: ignore_above: 1024 level: extended name: server.certificate_chain + normalize: + - array order: 24 short: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` @@ -6311,6 +6764,7 @@ tls: ignore_above: 1024 level: extended name: server.hash.md5 + normalize: [] order: 26 short: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, @@ -6326,6 +6780,7 @@ tls: ignore_above: 1024 level: extended name: server.hash.sha1 + normalize: [] order: 27 short: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, @@ -6341,6 +6796,7 @@ tls: ignore_above: 1024 level: extended name: server.hash.sha256 + normalize: [] order: 28 short: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, @@ -6355,6 +6811,7 @@ tls: ignore_above: 1024 level: extended name: server.issuer + normalize: [] order: 21 short: Subject of the issuer of the x.509 certificate presented by the server. type: keyword @@ -6367,6 +6824,7 @@ tls: ignore_above: 1024 level: extended name: server.ja3s + normalize: [] order: 19 short: A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword @@ -6378,6 +6836,7 @@ tls: flat_name: tls.server.not_after level: extended name: server.not_after + normalize: [] order: 23 short: Timestamp indicating when server certificate is no longer considered valid. @@ -6390,6 +6849,7 @@ tls: flat_name: tls.server.not_before level: extended name: server.not_before + normalize: [] order: 22 short: Timestamp indicating when server certificate is first considered valid. type: date @@ -6401,6 +6861,7 @@ tls: ignore_above: 1024 level: extended name: server.subject + normalize: [] order: 20 short: Subject of the x.509 certificate presented by the server. type: keyword @@ -6412,6 +6873,7 @@ tls: ignore_above: 1024 level: extended name: version + normalize: [] order: 0 short: Numeric part of the version parsed from the original string. type: keyword @@ -6423,6 +6885,7 @@ tls: ignore_above: 1024 level: extended name: version_protocol + normalize: [] order: 1 short: Normalized lowercase protocol name parsed from original string. type: keyword @@ -6449,6 +6912,7 @@ tracing: ignore_above: 1024 level: extended name: trace.id + normalize: [] order: 0 short: Unique identifier of the trace. type: keyword @@ -6463,6 +6927,7 @@ tracing: ignore_above: 1024 level: extended name: transaction.id + normalize: [] order: 1 short: Unique identifier of the transaction. type: keyword @@ -6488,6 +6953,7 @@ url: ignore_above: 1024 level: extended name: domain + normalize: [] order: 3 short: Domain of the url. type: keyword @@ -6505,6 +6971,7 @@ url: ignore_above: 1024 level: extended name: extension + normalize: [] order: 9 short: File extension from the original request url. type: keyword @@ -6517,6 +6984,7 @@ url: ignore_above: 1024 level: extended name: fragment + normalize: [] order: 10 short: Portion of the url after the `#`. type: keyword @@ -6535,6 +7003,7 @@ url: norms: false type: text name: full + normalize: [] order: 1 short: Full unparsed URL. type: keyword @@ -6556,6 +7025,7 @@ url: norms: false type: text name: original + normalize: [] order: 0 short: Unmodified original url as seen in the event source. type: keyword @@ -6566,6 +7036,7 @@ url: ignore_above: 1024 level: extended name: password + normalize: [] order: 12 short: Password of the request. type: keyword @@ -6576,6 +7047,7 @@ url: ignore_above: 1024 level: extended name: path + normalize: [] order: 7 short: Path of the request, such as "/search". type: keyword @@ -6587,6 +7059,7 @@ url: format: string level: extended name: port + normalize: [] order: 6 short: Port of the request, such as 443. type: long @@ -6603,6 +7076,7 @@ url: ignore_above: 1024 level: extended name: query + normalize: [] order: 8 short: Query string of the request. type: keyword @@ -6620,6 +7094,7 @@ url: ignore_above: 1024 level: extended name: registered_domain + normalize: [] order: 4 short: The highest registered url domain, stripped of the subdomain. type: keyword @@ -6633,6 +7108,7 @@ url: ignore_above: 1024 level: extended name: scheme + normalize: [] order: 2 short: Scheme of the url. type: keyword @@ -6650,6 +7126,7 @@ url: ignore_above: 1024 level: extended name: top_level_domain + normalize: [] order: 5 short: The effective top level domain (com, org, net, co.uk). type: keyword @@ -6660,6 +7137,7 @@ url: ignore_above: 1024 level: extended name: username + normalize: [] order: 11 short: Username of the request. type: keyword @@ -6685,6 +7163,7 @@ user: ignore_above: 1024 level: extended name: domain + normalize: [] order: 5 short: Name of the directory the user is a member of. type: keyword @@ -6695,6 +7174,7 @@ user: ignore_above: 1024 level: extended name: email + normalize: [] order: 3 short: User email address. type: keyword @@ -6711,6 +7191,7 @@ user: norms: false type: text name: full_name + normalize: [] order: 2 short: User's full name, if available. type: keyword @@ -6723,6 +7204,7 @@ user: ignore_above: 1024 level: extended name: domain + normalize: [] order: 2 original_fieldset: group short: Name of the directory the group is a member of. @@ -6734,6 +7216,7 @@ user: ignore_above: 1024 level: extended name: id + normalize: [] order: 0 original_fieldset: group short: Unique identifier for the group on the system/platform. @@ -6745,6 +7228,7 @@ user: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 original_fieldset: group short: Name of the group. @@ -6760,18 +7244,20 @@ user: ignore_above: 1024 level: extended name: hash + normalize: [] order: 4 short: Unique user hash to correlate information for a user in anonymized form. type: keyword id: dashed_name: user-id - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. flat_name: user.id ignore_above: 1024 level: core name: id + normalize: [] order: 0 - short: One or multiple unique identifiers of the user. + short: Unique identifiers of the user. type: keyword name: dashed_name: user-name @@ -6786,6 +7272,7 @@ user: norms: false type: text name: name + normalize: [] order: 1 short: Short name or login of the user. type: keyword @@ -6818,6 +7305,7 @@ user_agent: ignore_above: 1024 level: extended name: device.name + normalize: [] order: 3 short: Name of the device. type: keyword @@ -6829,6 +7317,7 @@ user_agent: ignore_above: 1024 level: extended name: name + normalize: [] order: 1 short: Name of the user agent. type: keyword @@ -6846,6 +7335,7 @@ user_agent: norms: false type: text name: original + normalize: [] order: 0 short: Unparsed user_agent string. type: keyword @@ -6857,6 +7347,7 @@ user_agent: ignore_above: 1024 level: extended name: family + normalize: [] order: 3 original_fieldset: os short: OS family (such as redhat, debian, freebsd, windows). @@ -6874,6 +7365,7 @@ user_agent: norms: false type: text name: full + normalize: [] order: 2 original_fieldset: os short: Operating system name, including the version or code name. @@ -6886,6 +7378,7 @@ user_agent: ignore_above: 1024 level: extended name: kernel + normalize: [] order: 5 original_fieldset: os short: Operating system kernel version as a raw string. @@ -6903,6 +7396,7 @@ user_agent: norms: false type: text name: name + normalize: [] order: 1 original_fieldset: os short: Operating system name, without the version. @@ -6915,6 +7409,7 @@ user_agent: ignore_above: 1024 level: extended name: platform + normalize: [] order: 0 original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). @@ -6927,6 +7422,7 @@ user_agent: ignore_above: 1024 level: extended name: version + normalize: [] order: 4 original_fieldset: os short: Operating system version as a raw string. @@ -6939,6 +7435,7 @@ user_agent: ignore_above: 1024 level: extended name: version + normalize: [] order: 2 short: Version of the user agent. type: keyword @@ -6967,6 +7464,8 @@ vulnerability: ignore_above: 1024 level: extended name: category + normalize: + - array order: 7 short: Category of a vulnerability. type: keyword @@ -6979,6 +7478,7 @@ vulnerability: ignore_above: 1024 level: extended name: classification + normalize: [] order: 0 short: Classification of the vulnerability. type: keyword @@ -6997,6 +7497,7 @@ vulnerability: norms: false type: text name: description + normalize: [] order: 8 short: Description of the vulnerability. type: keyword @@ -7009,6 +7510,7 @@ vulnerability: ignore_above: 1024 level: extended name: enumeration + normalize: [] order: 1 short: Identifier of the vulnerability. type: keyword @@ -7023,6 +7525,7 @@ vulnerability: ignore_above: 1024 level: extended name: id + normalize: [] order: 9 short: ID of the vulnerability. type: keyword @@ -7035,6 +7538,7 @@ vulnerability: ignore_above: 1024 level: extended name: reference + normalize: [] order: 2 short: Reference of the vulnerability. type: keyword @@ -7046,6 +7550,7 @@ vulnerability: ignore_above: 1024 level: extended name: report_id + normalize: [] order: 12 short: Scan identification number. type: keyword @@ -7057,6 +7562,7 @@ vulnerability: ignore_above: 1024 level: extended name: scanner.vendor + normalize: [] order: 10 short: Name of the scanner vendor. type: keyword @@ -7071,6 +7577,7 @@ vulnerability: flat_name: vulnerability.score.base level: extended name: score.base + normalize: [] order: 3 short: Vulnerability Base score. type: float @@ -7084,6 +7591,7 @@ vulnerability: flat_name: vulnerability.score.environmental level: extended name: score.environmental + normalize: [] order: 5 short: Vulnerability Environmental score. type: float @@ -7096,6 +7604,7 @@ vulnerability: flat_name: vulnerability.score.temporal level: extended name: score.temporal + normalize: [] order: 4 short: Vulnerability Temporal score. type: float @@ -7114,6 +7623,7 @@ vulnerability: ignore_above: 1024 level: extended name: score.version + normalize: [] order: 6 short: CVSS version. type: keyword @@ -7126,6 +7636,7 @@ vulnerability: ignore_above: 1024 level: extended name: severity + normalize: [] order: 11 short: Severity of the vulnerability. type: keyword diff --git a/schemas/README.md b/schemas/README.md index 275e973dc8..e4cafdd45f 100644 --- a/schemas/README.md +++ b/schemas/README.md @@ -30,11 +30,15 @@ Supported keys to describe fields - level (required, one of: core, extended): ECS Level of maturity of the field - type (required): Type of the field. Must be set explicitly, no default. - required (TBD): TBD if still relevant. -- short (optional): Optional shorter definition, for display in tight spaces +- short (optional): Optional shorter definition, for display in tight spaces. + Derived automatically if description is short enough. - description (required): Description of the field - example (optional): A single value example of what can be expected in this field -- multi\_fields (optional): +- multi\_fields (optional): Specify additional ways to index the field. - index (optional): If `False`, means field is not indexed (overrides type) +- format: Field format that can be used in a Kibana index template. +- normalize: Normalization steps that should be applied at ingestion time. Supported values: + - array: the content of the field should be an array (even when there's only one value). Supported keys to describe expected values for a field diff --git a/schemas/base.yml b/schemas/base.yml index 75e17bcd86..4029791998 100644 --- a/schemas/base.yml +++ b/schemas/base.yml @@ -32,6 +32,8 @@ example: "[\"production\", \"env2\"]" description: > List of keywords used to tag each event. + normalize: + - array - name: labels level: core diff --git a/schemas/container.yml b/schemas/container.yml index 0f0fdda28f..04cc138572 100644 --- a/schemas/container.yml +++ b/schemas/container.yml @@ -34,7 +34,9 @@ level: extended type: keyword description: > - Container image tag. + Container image tags. + normalize: + - array - name: name level: extended diff --git a/schemas/dns.yml b/schemas/dns.yml index 1b93d1bd8d..6fe8bad326 100644 --- a/schemas/dns.yml +++ b/schemas/dns.yml @@ -54,6 +54,8 @@ Expected values are: AA, TC, RD, RA, AD, CD, DO. example: [RD, RA] + normalize: + - array - name: response_code level: extended @@ -142,6 +144,8 @@ At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + normalize: + - array - name: answers.name level: extended @@ -199,3 +203,5 @@ `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. example: [10.10.10.10, 10.10.10.11] + normalize: + - array diff --git a/schemas/event.yml b/schemas/event.yml index 1dac483873..74d11f1eed 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -112,6 +112,8 @@ This field is an array. This will allow proper categorization of some events that fall in multiple categories. example: authentication + normalize: + - array allowed_values: - name: authentication description: > @@ -283,6 +285,8 @@ This field is an array. This will allow proper categorization of some events that fall in multiple event types. + normalize: + - array allowed_values: - name: access description: > diff --git a/schemas/file.yml b/schemas/file.yml index 1bb6794378..5cc4f3c579 100644 --- a/schemas/file.yml +++ b/schemas/file.yml @@ -29,6 +29,8 @@ that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. example: '["readonly", "system"]' + normalize: + - array - name: directory level: extended diff --git a/schemas/host.yml b/schemas/host.yml index bdfe42fc5c..2fdbd9e4f7 100644 --- a/schemas/host.yml +++ b/schemas/host.yml @@ -43,17 +43,22 @@ in your environment. Example: The current usage of `beat.name`. + - name: ip level: core type: ip description: > - Host ip address. + Host ip addresses. + normalize: + - array - name: mac level: core type: keyword description: > - Host mac address. + Host mac addresses. + normalize: + - array - name: type level: core diff --git a/schemas/observer.yml b/schemas/observer.yml index c8aaecc12f..ba511b747e 100644 --- a/schemas/observer.yml +++ b/schemas/observer.yml @@ -21,13 +21,17 @@ level: core type: keyword description: > - MAC address of the observer + MAC addresses of the observer + normalize: + - array - name: ip level: core type: ip description: > - IP address of the observer. + IP addresses of the observer. + normalize: + - array - name: hostname level: core diff --git a/schemas/process.yml b/schemas/process.yml index bc9450f66d..a779d12107 100644 --- a/schemas/process.yml +++ b/schemas/process.yml @@ -140,6 +140,8 @@ May be filtered to protect sensitive information. example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] + normalize: + - array - name: parent.args level: extended @@ -150,6 +152,8 @@ May be filtered to protect sensitive information. example: ["ssh", "-l", "user", "10.0.0.16"] + normalize: + - array - name: args_count level: extended diff --git a/schemas/related.yml b/schemas/related.yml index 4b03ce1227..fd68c8b74f 100644 --- a/schemas/related.yml +++ b/schemas/related.yml @@ -22,12 +22,16 @@ type: ip description: > All of the IPs seen on your event. + normalize: + - array - name: user level: extended type: keyword description: > All the user names seen on your event. + normalize: + - array - name: hash level: extended @@ -37,3 +41,5 @@ All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + normalize: + - array diff --git a/schemas/threat.yml b/schemas/threat.yml index 19c39ae115..d502217438 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -33,6 +33,8 @@ (ex. https://attack.mitre.org/tactics/TA0040/ ) example: impact + normalize: + - array - name: tactic.id level: extended @@ -43,6 +45,8 @@ (ex. https://attack.mitre.org/tactics/TA0040/ ) example: TA0040 + normalize: + - array - name: tactic.reference level: extended @@ -53,6 +57,8 @@ (ex. https://attack.mitre.org/tactics/TA0040/ ) example: https://attack.mitre.org/tactics/TA0040/ + normalize: + - array - name: technique.name level: extended @@ -66,6 +72,8 @@ (ex. https://attack.mitre.org/techniques/T1499/ ) example: endpoint denial of service + normalize: + - array - name: technique.id level: extended @@ -76,6 +84,8 @@ (ex. https://attack.mitre.org/techniques/T1499/ ) example: T1499 + normalize: + - array - name: technique.reference level: extended @@ -86,3 +96,5 @@ (ex. https://attack.mitre.org/techniques/T1499/ ) example: https://attack.mitre.org/techniques/T1499/ + normalize: + - array diff --git a/schemas/tls.yml b/schemas/tls.yml index 3af916db6e..8ab6d23ac3 100644 --- a/schemas/tls.yml +++ b/schemas/tls.yml @@ -71,6 +71,8 @@ level: extended description: Array of ciphers offered by the client during the client hello. example: ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."] + normalize: + - array - name: client.subject type: keyword @@ -104,6 +106,8 @@ usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. example: ["MII...", "MII..."] + normalize: + - array - name: client.certificate type: keyword @@ -175,6 +179,8 @@ usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. example: ["MII...", "MII..."] + normalize: + - array - name: server.certificate type: keyword diff --git a/schemas/tracing.yml b/schemas/tracing.yml index c8b452b630..a43b926427 100644 --- a/schemas/tracing.yml +++ b/schemas/tracing.yml @@ -3,7 +3,7 @@ title: Tracing root: true group: 2 - short: Fields related to distributed tracing. + short: Fields related to distributed tracing. description: > Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. @@ -19,6 +19,7 @@ A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + - name: transaction.id level: extended type: keyword @@ -26,5 +27,5 @@ short: Unique identifier of the transaction. description: > Unique identifier of the transaction. - + A transaction is the highest level of work measured within a service, such as a request to a server. diff --git a/schemas/user.yml b/schemas/user.yml index 27a315fa0f..b8afd52f16 100644 --- a/schemas/user.yml +++ b/schemas/user.yml @@ -25,7 +25,7 @@ level: core type: keyword description: > - One or multiple unique identifiers of the user. + Unique identifiers of the user. - name: name level: core diff --git a/schemas/vulnerability.yml b/schemas/vulnerability.yml index d67f8e61e1..32982ca8f1 100644 --- a/schemas/vulnerability.yml +++ b/schemas/vulnerability.yml @@ -107,6 +107,8 @@ This field must be an array. example: '["Firewall"]' + normalize: + - array - name: description level: extended diff --git a/scripts/generators/asciidoc_fields.py b/scripts/generators/asciidoc_fields.py index 9f252de684..869b8fbc25 100644 --- a/scripts/generators/asciidoc_fields.py +++ b/scripts/generators/asciidoc_fields.py @@ -95,10 +95,15 @@ def render_field_details_row(field): for mf in field['multi_fields']: field_type_with_mf += "* {} (type: {})\n\n".format(mf['flat_name'], mf['type']) + field_normalization = '' + if 'array' in field['normalize']: + field_normalization = "\nNote: this field should contain an array of values.\n\n" + text = field_details_row().format( field_flat_name=field['flat_name'], field_description=render_asciidoc_paragraphs(field['description']), field_example=example, + field_normalization=field_normalization, field_level=field['level'], field_type=field_type_with_mf, ) @@ -235,6 +240,8 @@ def field_details_row(): type: {field_type} +{field_normalization} + {field_example} | {field_level} diff --git a/scripts/generators/csv_generator.py b/scripts/generators/csv_generator.py index 079e7c40b9..ddd79b5d88 100644 --- a/scripts/generators/csv_generator.py +++ b/scripts/generators/csv_generator.py @@ -30,7 +30,7 @@ def save_csv(file, sorted_fields, version): lineterminator='\n') schema_writer.writerow(["ECS_Version", "Indexed", "Field_Set", "Field", - "Type", "Level", "Example", "Description"]) + "Type", "Level", "Normalization", "Example", "Description"]) for field in sorted_fields: key_parts = field['flat_name'].split('.') if len(key_parts) == 1: @@ -46,6 +46,7 @@ def save_csv(file, sorted_fields, version): field['flat_name'], field['type'], field['level'], + ', '.join(field['normalize']), field.get('example', ''), field['short'], ]) @@ -59,6 +60,7 @@ def save_csv(file, sorted_fields, version): mf['flat_name'], mf['type'], field['level'], + '', field.get('example', ''), field['short'], ]) diff --git a/scripts/schema_reader.py b/scripts/schema_reader.py index 7b6eb08cc1..9c0c218dbd 100644 --- a/scripts/schema_reader.py +++ b/scripts/schema_reader.py @@ -93,6 +93,7 @@ def schema_fields_as_dictionary(schema): def field_set_defaults(field): + dict_set_default(field, 'normalize', []) if field['type'] == 'keyword': dict_set_default(field, 'ignore_above', 1024) if field['type'] == 'text': diff --git a/scripts/tests/test_ecs_spec.py b/scripts/tests/test_ecs_spec.py index 7ace6901aa..40d349eaaf 100644 --- a/scripts/tests/test_ecs_spec.py +++ b/scripts/tests/test_ecs_spec.py @@ -90,6 +90,12 @@ def test_nested_includes_reusable_fields(self): self.assertIn('os.name', observer_keys) self.assertIn('os.name', user_agent_keys) + def test_related_fields_always_arrays(self): + for (field_name, field) in self.ecs_nested['related']['fields'].items(): + self.assertIn('normalize', field.keys()) + self.assertIn('array', field['normalize'], + "All fields under `related.*` should be arrays") + if __name__ == '__main__': unittest.main() diff --git a/scripts/tests/test_schema_reader.py b/scripts/tests/test_schema_reader.py index 13464ac652..6b6be4c583 100644 --- a/scripts/tests/test_schema_reader.py +++ b/scripts/tests/test_schema_reader.py @@ -57,7 +57,7 @@ def test_set_default_values_no_overwrite(self): def test_field_set_defaults_no_short(self): field = {'description': 'a field', 'type': 'faketype'} schema_reader.field_set_defaults(field) - self.assertEqual(field, {'description': 'a field', 'short': 'a field', 'type': 'faketype'}) + self.assertEqual(field, {'description': 'a field', 'short': 'a field', 'type': 'faketype', 'normalize': []}) def test_field_set_multi_field_defaults_missing_name(self): field = { @@ -213,7 +213,8 @@ def test_cleanup_fields_recursive(self): 'flat_name': 'base_set1.reusable_fieldset.reusable_field', 'dashed_name': 'base-set1-reusable-fieldset-reusable-field', 'ignore_above': 1024, - 'short': 'A test field' + 'short': 'A test field', + 'normalize': [], } } } @@ -240,7 +241,9 @@ def test_cleanup_fields_recursive(self): 'flat_name': 'base_set2.reusable_fieldset.reusable_field', 'dashed_name': 'base-set2-reusable-fieldset-reusable-field', 'ignore_above': 1024, - 'short': 'A test field' + 'short': 'A test field', + 'normalize': [], + } } }